From 9511f08959a5920e71a06a09724b0559d0f6b616 Mon Sep 17 00:00:00 2001 From: Benjamin Lipp Date: Fri, 10 Sep 2021 17:16:20 +0200 Subject: [PATCH] Update along with new version of eprint --- common.dhkem.dh.ocv | 4 +- dhkem.auth.insider-cca-lr.m4.ocv | 7 +- dhkem.auth.insider-cca-lr.ocv | 11 +- dhkem.auth.insider-cca-lr.proof | 8951 +++++++-------- dhkem.auth.outsider-auth-lr.m4.ocv | 7 +- dhkem.auth.outsider-auth-lr.ocv | 11 +- dhkem.auth.outsider-auth-lr.proof | 12159 ++++++++++---------- dhkem.auth.outsider-cca-lr.m4.ocv | 7 +- dhkem.auth.outsider-cca-lr.ocv | 11 +- dhkem.auth.outsider-cca-lr.proof | 6799 ++++++------ hpke.auth.insider-cca.proof | 6671 ++++++----- hpke.auth.outsider-auth.proof | 15831 +++++++++++++-------------- hpke.auth.outsider-cca.proof | 7917 +++++++------- keyschedule.auth.prf.ocv | 9 +- keyschedule.auth.prf.proof | 3124 +++--- lib.gdh.ocvl | 41 +- lib.ocvl | 6791 ++++++------ 17 files changed, 33865 insertions(+), 34486 deletions(-) diff --git a/common.dhkem.dh.ocv b/common.dhkem.dh.ocv index 5436c8e..111b561 100644 --- a/common.dhkem.dh.ocv +++ b/common.dhkem.dh.ocv @@ -1,7 +1,7 @@ type G_t [bounded]. fun Serialize(G_t): bitstring [data]. -type Z_t [bounded,pcoll250,nonuniform]. -proba PCollKey [pest250]. +type Z_t [bounded,nonuniform]. +proba PCollKey. expand DH_proba_collision_minimal( G_t, diff --git a/dhkem.auth.insider-cca-lr.m4.ocv b/dhkem.auth.insider-cca-lr.m4.ocv index c15eaef..e0d6cb7 100644 --- a/dhkem.auth.insider-cca-lr.m4.ocv +++ b/dhkem.auth.insider-cca-lr.m4.ocv @@ -1,5 +1,8 @@ proof { - allowed_collisions pest150; + allowed_collisions default^4/large; + (* We allow eliminating collisions with probability in power 4 of + N, Qeperuser, Qdperuser, Qcperuser times PCollKey, to allow q^2 * PCollKey, + where q = N * (Qeperuser + Qdperuser + Qcperuser) *) (* on the left side *) out_game "l0.out.cv"; (* Let appear this case distinction in the Decap oracle, @@ -122,7 +125,7 @@ expand GDH_RSR_minimal( include(`common.dhkem.ocv') -param N, Qeperuser, Qcperuser, Qdperuser [size30]. +param N, Qeperuser, Qcperuser, Qdperuser. equivalence Ostart() := diff --git a/dhkem.auth.insider-cca-lr.ocv b/dhkem.auth.insider-cca-lr.ocv index e374f12..5cafc9a 100644 --- a/dhkem.auth.insider-cca-lr.ocv +++ b/dhkem.auth.insider-cca-lr.ocv @@ -1,5 +1,8 @@ proof { - allowed_collisions pest150; + allowed_collisions default^4/large; + (* We allow eliminating collisions with probability in power 4 of + N, Qeperuser, Qdperuser, Qcperuser times PCollKey, to allow q^2 * PCollKey, + where q = N * (Qeperuser + Qdperuser + Qcperuser) *) (* on the left side *) out_game "l0.out.cv"; (* Let appear this case distinction in the Decap oracle, @@ -104,8 +107,8 @@ proof { type G_t [bounded]. fun Serialize(G_t): bitstring [data]. -type Z_t [bounded,pcoll250,nonuniform]. -proba PCollKey [pest250]. +type Z_t [bounded,nonuniform]. +proba PCollKey. expand DH_proba_collision_minimal( G_t, @@ -288,7 +291,7 @@ letfun AuthDecap(key_extr: hash_key_t, enc: bitstring, skR: Z_t, pkS: G_t) = -param N, Qeperuser, Qcperuser, Qdperuser [size30]. +param N, Qeperuser, Qcperuser, Qdperuser. equivalence Ostart() := diff --git a/dhkem.auth.insider-cca-lr.proof b/dhkem.auth.insider-cca-lr.proof index 752f8e9..2bc0394 100644 --- a/dhkem.auth.insider-cca-lr.proof +++ b/dhkem.auth.insider-cca-lr.proof @@ -1,4461 +1,4490 @@ -Initial state -Game 1 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - return((pkR_1: G_t <- exp(g, sk); {26}let (skE_2: Z_t, pkE_3: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_3: GG_t <- concatDH(exp(pkR_1, skE_2), exp(pkR_1, sk')); enc_2: bitstring <- Serialize(pkE_3); pkS: G_t <- exp(g, sk'); kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); zz_3: eae_output_t <- (key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info))); AuthEncap_tuple(zz_3, enc_2) else AuthEncap_None)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - return({119}(let (skE_3: Z_t, pkE_4: G_t) = (z_2 <-R Z_t; (z_2, exp(g, z_2))) in dh_4: GG_t <- concatDH(exp(pk_R, skE_3), exp(pk_R, sk)); enc_3: bitstring <- Serialize(pkE_4); pkS_1: G_t <- exp(g, sk); kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); zz_4: eae_output_t <- (key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1))); AuthEncap_tuple(zz_4, enc_3) else AuthEncap_None)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - return((skR: Z_t <- sk; let Serialize(pkE_5: G_t) = cd in dh_5: GG_t <- concatDH(exp(pkE_5, skR), exp(pk_S, skR)); pkR_2: G_t <- exp(g, skR); kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); zz_5: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2))); AuthDecap_Some(zz_5) else AuthDecap_None)) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern (skE_3: Z_t, pkE_4: G_t) (tuple expanded) at 119 - - Remove else branch of let at 119 - - Simplify pattern (skE_2: Z_t, pkE_3: G_t) (tuple expanded) at 26 - - Remove else branch of let at 26 -yields - -Game 2 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - skE_2: Z_t <- z_1; - dh_3: GG_t <- concatDH(exp(pkR_1, skE_2), exp(pkR_1, sk')); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - skE_3: Z_t <- z_2; - dh_4: GG_t <- concatDH(exp(pk_R, skE_3), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - skR: Z_t <- sk; - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, skR), exp(pk_S, skR)); - pkR_2: G_t <- exp(g, skR); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR (definition removed, all usages removed) - - Remove assignments on skE_3 (definition removed, all usages removed) - - Remove assignments on skE_2 (definition removed, all usages removed) -yields - -Game 3 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- {32}concatDH(exp(pkR_1, z_1), exp(pkR_1, sk')); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced concatDH(exp(pkR_1, z_1), exp(pkR_1, sk')) with concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))) at 32 -yields - -Game 4 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - {217} let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying insert instruction find ic_1 = ic <= Qcperuser suchthat - defined(zz_3[ic], sk'[ic], enc_2[ic]) - && (enc_2[ic] = cd) - && (exp(g, sk'[ic]) = pk_S) - then at occurrence 217 -yields - -Game 5 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - {217} find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - {241} let Serialize(pkE_5: G_t) = {242}cd in - dh_5: GG_t <- {246}concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced cd with Serialize(pkE_3[ic_2]) at 242 - - Remove else branch of let at 241 - - Simplify pattern Serialize(pkE_5: G_t) (tuple expanded) at 241 - - Replaced concatDH(exp(pkE_5, sk), exp(pk_S, sk)) with concatDH(exp(g, mult(z_1[ic_2], sk)), exp(g, mult(sk'[ic_2], sk))) at 246 - - Replaced defined condition zz_3[ic_3], sk'[ic_3], enc_2[ic_3] with zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3] in find at 217 -yields - -Game 6 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - pkE_5: G_t <- pkE_3[ic_2]; - dh_5: GG_t <- concatDH(exp(g, mult(z_1[ic_2], sk)), exp(g, mult(sk'[ic_2], sk))); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some({321}zz_5)) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying replace term at occurrence 321 with zz_3[ic_2] -yields - -Game 7 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - pkE_5: G_t <- pkE_3[ic_2]; - dh_5: GG_t <- concatDH(exp(g, mult(z_1[ic_2], sk)), exp(g, mult(sk'[ic_2], sk))); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying remove assignments of useless - - Remove assignments on pkE_5 (definition removed, all usages removed) - - Remove assignments on zz_5 (definition removed, all usages removed) - - Remove assignments on key_2 (definition removed, all usages removed) - - Remove assignments on info_2 (definition removed, all usages removed) - - Remove assignments on dh_5 (definition removed, all usages removed) - - Remove assignments on kemContext_5 (definition removed, all usages removed) - - Remove assignments on pkR_2 (definition removed, all usages removed) -yields - -Game 8 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - {217} find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3] with zz_3[ic_3], sk'[ic_3], enc_2[ic_3] in find at 217 -yields - -Game 9 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - {123} z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying insert instruction find i1 <= N suchthat - defined(sk[i1]) - && pk_R = exp(g, sk[i1]) then at occurrence 123 -yields - -Game 10 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - else - z_2 <-R Z_t; - pkE_4: G_t <- exp(g, z_2); - dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename z_2 - - Rename variable z_2 into z_7, z_6 -yields - -Game 11 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_4: G_t <- exp(g, z_6); - dh_4: GG_t <- {141}concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - else - z_7 <-R Z_t; - pkE_4: G_t <- exp(g, z_7); - dh_4: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced concatDH(exp(pk_R, z_6), exp(pk_R, sk)) with concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))) at 141 -yields - -Game 12 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_4: G_t <- exp(g, z_6); - dh_4: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - else - z_7 <-R Z_t; - pkE_4: G_t <- exp(g, z_7); - dh_4: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_3: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_3)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename enc_3 - - Rename variable enc_3 into enc_10, enc_9 -yields - -Game 13 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_4: G_t <- exp(g, z_6); - dh_4: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_9)) - else - z_7 <-R Z_t; - pkE_4: G_t <- exp(g, z_7); - dh_4: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename dh_4 - - Rename variable dh_4 into dh_13, dh_12 -yields - -Game 14 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_4: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_9)) - else - z_7 <-R Z_t; - pkE_4: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_4, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename zz_4 - - Rename variable zz_4 into zz_13, zz_12 -yields - -Game 15 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_4: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_4: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_4); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename pkE_4 - - Rename variable pkE_4 into pkE_13, pkE_12 -yields - -Game 16 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_4: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename kemContext_4 - - Rename variable kemContext_4 into kemContext_13, kemContext_12 -yields - -Game 17 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename key_1 - - Rename variable key_1 into key_7, key_6 -yields - -Game 18 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_6, info_1)); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_7, info_1)); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying SA rename info_1 - - Rename variable info_1 into info_7, info_6 -yields - -Game 19 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_7, info_7)); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - {448} return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying insert instruction let eae_input( - salt: extract_salt_t, - concatExtract( - protocol1: label_protocol_t, - suite1: suite_id_t, - label1: label_extract_t, - concatDH(dh1: G_t, dh2: G_t)), - concatExpand( - l: two_byte_t, - protocol2: label_protocol_t, - suite2: suite_id_t, - label2: label_expand_t, - concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in at occurrence 448 -yields - -Game 20 is - Ostart() := - key_extr_4 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_7, info_7)); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return(ExtractAndExpand_inner(key_extr_4, x1)) - else - return(ExtractAndExpand_inner(key_extr_4, x1)) - )) - - -Applying equivalence rom(ExtractAndExpand_inner) - - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_4 -> hk -yields - -Game 21 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key, info); {98}find [unique] u_58 = ri_58 <= Qcperuser, u_59 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && (x_O = x_O[ri_58, ri_59]) then r[u_58, u_59] orfind u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && (x_O = x_O_1[ri_56, ri_57]) then r_1[u_56, u_57] orfind u_54 = ri_54 <= Qeperuser, u_55 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && (x_O = x_O_2[ri_54, ri_55]) then r_2[u_54, u_55] orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O = x_O_3[ri_52, ri_53]) then r_3[u_52, u_53] orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O = x_O_4[ri_51]) then r_4[u_51] orfind u_50 = ri_50 <= Qh suchthat defined(x_O_5[ri_50], r_5[ri_50]) && {185}(x_O = x_O_5[ri_50]) then r_5[u_50] else r <-R eae_output_t; r); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_12: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {309}find [unique] u_48 = ri_48 <= Qcperuser, u_49 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && (x_O_2 = x_O[ri_48, ri_49]) then r[u_48, u_49] orfind u_46 = ri_46 <= Qeperuser, u_47 = ri_47 <= N suchthat defined(x_O_1[ri_46, ri_47], r_1[ri_46, ri_47]) && (x_O_2 = x_O_1[ri_46, ri_47]) then r_1[u_46, u_47] orfind u_44 = ri_44 <= Qeperuser, u_45 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O_2 = x_O_2[ri_44, ri_45]) then r_2[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O_2 = x_O_3[ri_42, ri_43]) then r_3[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O_2 = x_O_4[ri_41]) then r_4[u_41] orfind u_40 = ri_40 <= Qh suchthat defined(x_O_5[ri_40], r_5[ri_40]) && {396}(x_O_2 = x_O_5[ri_40]) then r_5[u_40] else r_2 <-R eae_output_t; r_2); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_13: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {499}find [unique] u_38 = ri_38 <= Qcperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && (x_O_1 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qeperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_1 = x_O_3[ri_32, ri_33]) then r_3[u_32, u_33] orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_1 = x_O_4[ri_31]) then r_4[u_31] orfind u_30 = ri_30 <= Qh suchthat defined(x_O_5[ri_30], r_5[ri_30]) && {586}(x_O_1 = x_O_5[ri_30]) then r_5[u_30] else r_1 <-R eae_output_t; r_1); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {717}find [unique] u_28 = ri_28 <= Qcperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_3 = x_O[ri_28, ri_29]) then r[u_28, u_29] orfind u_26 = ri_26 <= Qeperuser, u_27 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_3 = x_O_1[ri_26, ri_27]) then r_1[u_26, u_27] orfind u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_3 = x_O_2[ri_24, ri_25]) then r_2[u_24, u_25] orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_3 = x_O_3[ri_22, ri_23]) then r_3[u_22, u_23] orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_3 = x_O_4[ri_21]) then r_4[u_21] orfind u_20 = ri_20 <= Qh suchthat defined(x_O_5[ri_20], r_5[ri_20]) && {804}(x_O_3 = x_O_5[ri_20]) then r_5[u_20] else r_3 <-R eae_output_t; r_3); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return((x_O_4: eae_input_t <- x1; {855}find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_18, u_19] orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_16, u_17] orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_14, u_15] orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_12, u_13] orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_11] orfind u_10 = ri_10 <= Qh suchthat defined(x_O_5[ri_10], r_5[ri_10]) && {928}(x_O_4 = x_O_5[ri_10]) then r_5[u_10] else r_4 <-R eae_output_t; r_4)) - else - return((x_O_5: eae_input_t <- x1; {945}find [unique] u_8 = ri_8 <= Qcperuser, u_9 = ri_9 <= N suchthat defined(x_O[ri_8, ri_9], r[ri_8, ri_9]) && {950}(x_O_5 = x_O[ri_8, ri_9]) then r[u_8, u_9] orfind u_6 = ri_6 <= Qeperuser, u_7 = ri_7 <= N suchthat defined(x_O_1[ri_6, ri_7], r_1[ri_6, ri_7]) && {965}(x_O_5 = x_O_1[ri_6, ri_7]) then r_1[u_6, u_7] orfind u_4 = ri_4 <= Qeperuser, u_5 = ri_5 <= N suchthat defined(x_O_2[ri_4, ri_5], r_2[ri_4, ri_5]) && {980}(x_O_5 = x_O_2[ri_4, ri_5]) then r_2[u_4, u_5] orfind u_2 = ri_2 <= Qdperuser, u_3 = ri_3 <= N suchthat defined(x_O_3[ri_2, ri_3], r_3[ri_2, ri_3]) && {995}(x_O_5 = x_O_3[ri_2, ri_3]) then r_3[u_2, u_3] orfind u_1 = ri_1 <= Qh suchthat defined(x_O_4[ri_1], r_4[ri_1]) && {1008}(x_O_5 = x_O_4[ri_1]) then r_4[u_1] orfind u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u] else r_5 <-R eae_output_t; r_5)) - )) - - -Applying simplify (non-expanded game) [probability N * N * PCollKey] - - Simplification pass - - Replaced (x_O = x_O_5[ri_50]) with false at 185 - - Remove branch 6 in find at 98 - - Replaced (x_O_2 = x_O_5[ri_40]) with false at 396 - - Remove branch 6 in find at 309 - - Replaced (x_O_1 = x_O_5[ri_30]) with false at 586 - - Remove branch 6 in find at 499 - - Replaced (x_O_3 = x_O_5[ri_20]) with false at 804 - - Remove branch 6 in find at 717 - - Replaced (x_O_4 = x_O_5[ri_10]) with false at 928 - - Remove branch 6 in find at 855 - - Replaced (x_O_5 = x_O_4[ri_1]) with false at 1008 - - Remove branch 5 in find at 945 - - Replaced (x_O_5 = x_O_3[ri_2, ri_3]) with false at 995 - - Remove branch 4 in find at 945 - - Replaced (x_O_5 = x_O_2[ri_4, ri_5]) with false at 980 - - Remove branch 3 in find at 945 - - Replaced (x_O_5 = x_O_1[ri_6, ri_7]) with false at 965 - - Remove branch 2 in find at 945 - - Replaced (x_O_5 = x_O[ri_8, ri_9]) with false at 950 - - Remove branch 1 in find at 945 -yields - -Game 22 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key, info); {98}find [unique] u_58 = ri_58 <= Qcperuser, u_59 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && (x_O = x_O[ri_58, ri_59]) then r[u_58, u_59] orfind u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && (x_O = x_O_1[ri_56, ri_57]) then r_1[u_56, u_57] orfind u_54 = ri_54 <= Qeperuser, u_55 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && (x_O = x_O_2[ri_54, ri_55]) then r_2[u_54, u_55] orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O = x_O_3[ri_52, ri_53]) then r_3[u_52, u_53] orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O = x_O_4[ri_51]) then r_4[u_51] else r <-R eae_output_t; r); - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_12: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {297}find [unique] u_48 = ri_48 <= Qcperuser, u_49 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && (x_O_2 = x_O[ri_48, ri_49]) then r[u_48, u_49] orfind u_46 = ri_46 <= Qeperuser, u_47 = ri_47 <= N suchthat defined(x_O_1[ri_46, ri_47], r_1[ri_46, ri_47]) && (x_O_2 = x_O_1[ri_46, ri_47]) then r_1[u_46, u_47] orfind u_44 = ri_44 <= Qeperuser, u_45 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O_2 = x_O_2[ri_44, ri_45]) then r_2[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O_2 = x_O_3[ri_42, ri_43]) then r_3[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O_2 = x_O_4[ri_41]) then r_4[u_41] else r_2 <-R eae_output_t; r_2); - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_13: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {475}find [unique] u_38 = ri_38 <= Qcperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && (x_O_1 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qeperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_1 = x_O_3[ri_32, ri_33]) then r_3[u_32, u_33] orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_1 = x_O_4[ri_31]) then r_4[u_31] else r_1 <-R eae_output_t; r_1); - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - zz_5: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {681}find [unique] u_28 = ri_28 <= Qcperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_3 = x_O[ri_28, ri_29]) then r[u_28, u_29] orfind u_26 = ri_26 <= Qeperuser, u_27 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_3 = x_O_1[ri_26, ri_27]) then r_1[u_26, u_27] orfind u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_3 = x_O_2[ri_24, ri_25]) then r_2[u_24, u_25] orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_3 = x_O_3[ri_22, ri_23]) then r_3[u_22, u_23] orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_3 = x_O_4[ri_21]) then r_4[u_21] else r_3 <-R eae_output_t; r_3); - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return((x_O_4: eae_input_t <- x1; find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_18, u_19] orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_16, u_17] orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_14, u_15] orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_12, u_13] orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_11] else r_4 <-R eae_output_t; r_4)) - else - return((x_O_5: eae_input_t <- x1; find [unique] u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u] else r_5 <-R eae_output_t; r_5)) - )) - - -Applying expand [probability (#Ochall * Qcperuser + 4 * #OAEncap * Qeperuser + #OAEncap * N + N * N) * PCollKey] - - Expand if/find/let - - Remove branch 2 in find at 681 - - Remove branch 4 in find at 475 - - Remove branch 3 in find at 475 - - Remove branch 2 in find at 475 - - Remove branch 1 in find at 475 - - Remove branch 3 in find at 297 - - Remove branch 2 in find at 297 - - Remove branch 2 in find at 98 - - Remove branch 1 in find at 98 -yields - -Game 23 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O: eae_input_t <- eae_input(lbytes_empty, key, info); - find [unique] u_54 = ri_54 <= Qeperuser, u_55 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && (x_O = x_O_2[ri_54, ri_55]) then - zz_3: eae_output_t <- r_2[u_54, u_55]; - return(AuthEncap_tuple(zz_3, enc_2)) - orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O = x_O_3[ri_52, ri_53]) then - zz_3: eae_output_t <- r_3[u_52, u_53]; - return(AuthEncap_tuple(zz_3, enc_2)) - orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O = x_O_4[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(zz_3, enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(zz_3, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_48 = ri_48 <= Qcperuser, u_49 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && (x_O_2 = x_O[ri_48, ri_49]) then - zz_12: eae_output_t <- r[u_48, u_49]; - return(AuthEncap_tuple(zz_12, enc_9)) - orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O_2 = x_O_3[ri_42, ri_43]) then - zz_12: eae_output_t <- r_3[u_42, u_43]; - return(AuthEncap_tuple(zz_12, enc_9)) - orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O_2 = x_O_4[ri_41]) then - zz_12: eae_output_t <- r_4[u_41]; - return(AuthEncap_tuple(zz_12, enc_9)) - else - r_2 <-R eae_output_t; - zz_12: eae_output_t <- r_2; - return(AuthEncap_tuple(zz_12, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - find [unique] u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_1 = x_O_4[ri_31]) then - zz_13: eae_output_t <- r_4[u_31]; - return(AuthEncap_tuple(zz_13, enc_10)) - else - r_1 <-R eae_output_t; - zz_13: eae_output_t <- r_1; - return(AuthEncap_tuple(zz_13, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - find [unique] u_28 = ri_28 <= Qcperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_3 = x_O[ri_28, ri_29]) then - zz_5: eae_output_t <- r[u_28, u_29]; - return(AuthDecap_Some(zz_5)) - orfind u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_3 = x_O_2[ri_24, ri_25]) then - zz_5: eae_output_t <- r_2[u_24, u_25]; - return(AuthDecap_Some(zz_5)) - orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_3 = x_O_3[ri_22, ri_23]) then - zz_5: eae_output_t <- r_3[u_22, u_23]; - return(AuthDecap_Some(zz_5)) - orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_3 = x_O_4[ri_21]) then - zz_5: eae_output_t <- r_4[u_21]; - return(AuthDecap_Some(zz_5)) - else - r_3 <-R eae_output_t; - zz_5: eae_output_t <- r_3; - return(AuthDecap_Some(zz_5)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- x1; - find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- x1; - find [unique] u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_O_5 (definition point kept, all usages removed) - - Remove assignments on x_O_4 (definition point kept, all usages removed) - - Remove assignments on zz_5 (definition removed, all usages removed) - - Remove assignments on zz_5 (definition removed, all usages removed) - - Remove assignments on zz_5 (definition removed, all usages removed) - - Remove assignments on zz_5 (definition removed, all usages removed) - - Remove assignments on zz_5 (definition removed, all usages removed) - - Remove assignments on zz_13 (definition removed, all usages removed) - - Remove assignments on zz_13 (definition removed, all usages removed) - - Remove assignments on zz_12 (definition removed, all usages removed) - - Remove assignments on zz_12 (definition removed, all usages removed) - - Remove assignments on zz_12 (definition removed, all usages removed) - - Remove assignments on zz_12 (definition removed, all usages removed) - - Remove assignments on zz_3 (definition kept, array references kept) - - Remove assignments on zz_3 (definition kept, array references kept) - - Remove assignments on zz_3 (definition kept, array references kept) - - Remove assignments on zz_3 (definition kept, array references kept) -yields - -Game 24 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O: eae_input_t <- eae_input(lbytes_empty, key, info); - {97} find [unique] u_54 = ri_54 <= Qeperuser, u_55 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && {102}(x_O = x_O_2[ri_54, ri_55]) then - zz_3: eae_output_t <- r_2[u_54, u_55]; - return(AuthEncap_tuple(r_2[u_54, u_55], enc_2)) - orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && {136}(x_O = x_O_3[ri_52, ri_53]) then - zz_3: eae_output_t <- r_3[u_52, u_53]; - return(AuthEncap_tuple(r_3[u_52, u_53], enc_2)) - orfind u_51 = ri_51 <= Qh suchthat defined(x1[ri_51], x_O_4[ri_51], r_4[ri_51]) && {169}(x_O = x1[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - {307} find [unique] u_48 = ri_48 <= Qcperuser, u_49 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && {312}(x_O_2 = x_O[ri_48, ri_49]) then - return(AuthEncap_tuple(r[u_48, u_49], enc_9)) - orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && {337}(x_O_2 = x_O_3[ri_42, ri_43]) then - return(AuthEncap_tuple(r_3[u_42, u_43], enc_9)) - orfind u_41 = ri_41 <= Qh suchthat defined(x1[ri_41], x_O_4[ri_41], r_4[ri_41]) && {361}(x_O_2 = x1[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - {467} find [unique] u_31 = ri_31 <= Qh suchthat defined(x1[ri_31], x_O_4[ri_31], r_4[ri_31]) && {471}(x_O_1 = x1[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - {605} find [unique] u_28 = ri_28 <= Qcperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && {610}(x_O_3 = x_O[ri_28, ri_29]) then - return(AuthDecap_Some(r[u_28, u_29])) - orfind u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && {632}(x_O_3 = x_O_2[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && {654}(x_O_3 = x_O_3[ri_22, ri_23]) then - return(AuthDecap_Some(r_3[u_22, u_23])) - orfind u_21 = ri_21 <= Qh suchthat defined(x1[ri_21], x_O_4[ri_21], r_4[ri_21]) && {675}(x_O_3 = x1[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- cst_eae_input_t; - {724} find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && {729}(x1 = x_O[ri_18, ri_19]) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && {747}(x1 = x_O_1[ri_16, ri_17]) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && {765}(x1 = x_O_2[ri_14, ri_15]) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && {783}(x1 = x_O_3[ri_12, ri_13]) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(x1[ri_11], x_O_4[ri_11], r_4[ri_11]) && {800}(x1 = x1[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- cst_eae_input_t; - {820} find [unique] u = ri <= Qh suchthat defined(x1[ri], x_O_5[ri], r_5[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying simplify [probability (#OAEncap * Qcperuser + 8 * N * N) * PCollKey] - - Simplification pass - - Replaced defined condition x1[ri], x_O_5[ri], r_5[ri] with r_5[ri], x1[ri] in find at 820 - - Replaced (x1 = x1[ri_11]) with ((pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11])) at 800 - - Replaced defined condition x1[ri_11], x_O_4[ri_11], r_4[ri_11] with r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11] in find at 724 - - Replaced (x1 = x_O_3[ri_12, ri_13]) with ((pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 783 - - Replaced defined condition x_O_3[ri_12, ri_13], r_3[ri_12, ri_13] with r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13] in find at 724 - - Replaced (x1 = x_O_2[ri_14, ri_15]) with ((pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 765 - - Replaced defined condition x_O_2[ri_14, ri_15], r_2[ri_14, ri_15] with r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15] in find at 724 - - Replaced (x1 = x_O_1[ri_16, ri_17]) with ((pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 747 - - Replaced defined condition x_O_1[ri_16, ri_17], r_1[ri_16, ri_17] with r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17] in find at 724 - - Replaced (x1 = x_O[ri_18, ri_19]) with ((pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 729 - - Replaced defined condition x_O[ri_18, ri_19], r[ri_18, ri_19] with r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19] in find at 724 - - Replaced (x_O_3 = x1[ri_21]) with ((pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21])) at 675 - - Replaced defined condition x1[ri_21], x_O_4[ri_21], r_4[ri_21] with r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21] in find at 605 - - Replaced (x_O_3 = x_O_3[ri_22, ri_23]) with ((pk_S = pk_S[ri_22, ri_23]) && (i = ri_23) && (pkE_5 = pkE_5[ri_22, ri_23])) at 654 - - In branch 3 of find at 605, substituting u_23 with i - - Replaced defined condition x_O_3[ri_22, ri_23], r_3[ri_22, ri_23] with r_3[ri_22], pkE_5[ri_22], pk_S[ri_22] in find at 605 - - Replaced (x_O_3 = x_O_2[ri_24, ri_25]) with ((pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25])) at 632 - - Replaced defined condition x_O_2[ri_24, ri_25], r_2[ri_24, ri_25] with r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25] in find at 605 - - Replaced (x_O_3 = x_O[ri_28, ri_29]) with ((pk_S = pkS[ri_28, ri_29]) && (i = ri_29) && (pkE_5 = pkE_3[ri_28, ri_29])) at 610 - - Remove branch 1 in find at 605 - - Replaced (x_O_1 = x1[ri_31]) with ((pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31])) at 471 - - Replaced defined condition x1[ri_31], x_O_4[ri_31], r_4[ri_31] with r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31] in find at 467 - - Replaced (x_O_2 = x1[ri_41]) with ((pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41])) at 361 - - Replaced defined condition x1[ri_41], x_O_4[ri_41], r_4[ri_41] with r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41] in find at 307 - - Replaced (x_O_2 = x_O_3[ri_42, ri_43]) with ((pkS_1 = pk_S[ri_42, ri_43]) && (i1_2 = ri_43) && (pkE_12 = pkE_5[ri_42, ri_43])) at 337 - - In branch 2 of find at 307, substituting u_43 with i1_2 - - Replaced defined condition x_O_3[ri_42, ri_43], r_3[ri_42, ri_43] with r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2] in find at 307 - - Replaced (x_O_2 = x_O[ri_48, ri_49]) with ((pkS_1 = pkS[ri_48, ri_49]) && (i1_2 = ri_49) && (pkE_12 = pkE_3[ri_48, ri_49]) && (exp(g, mult(sk[i1_2], sk)) = exp(g, mult(sk[ri_49], sk'[ri_48, ri_49]))) && (exp(g, mult(sk[i1_2], z_6)) = exp(g, mult(sk[ri_49], z_1[ri_48, ri_49])))) at 312 - - Remove branch 1 in find at 307 - - Replaced (x_O = x1[ri_51]) with ((pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51])) at 169 - - Replaced defined condition x1[ri_51], x_O_4[ri_51], r_4[ri_51] with r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51] in find at 97 - - Replaced (x_O = x_O_3[ri_52, ri_53]) with ((pkS = pk_S[ri_52, ri_53]) && (i = ri_53) && (pkE_3 = pkE_5[ri_52, ri_53])) at 136 - - In branch 2 of find at 97, substituting u_53 with i - - Replaced defined condition x_O_3[ri_52, ri_53], r_3[ri_52, ri_53] with r_3[ri_52], pkE_5[ri_52], pk_S[ri_52] in find at 97 - - Replaced (x_O = x_O_2[ri_54, ri_55]) with ((pkS = pkS_1[ri_54, ri_55]) && (i = i1_2[ri_54, ri_55]) && (pkE_3 = pkE_12[ri_54, ri_55]) && (exp(g, mult(sk, sk')) = exp(g, mult(sk[i1_2[ri_54, ri_55]], sk[ri_55]))) && (exp(g, mult(sk, z_1)) = exp(g, mult(sk[i1_2[ri_54, ri_55]], z_6[ri_54, ri_55])))) at 102 - - Replaced defined condition x_O_2[ri_54, ri_55], r_2[ri_54, ri_55] with r_2[ri_54, ri_55], z_6[ri_54, ri_55], sk[ri_55], sk[i1_2[ri_54, ri_55]], pkE_12[ri_54, ri_55], pkS_1[ri_54, ri_55] in find at 97 -yields - -Game 25 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O: eae_input_t <- eae_input(lbytes_empty, key, info); - {97} find [unique] u_54 = ri_54 <= Qeperuser, u_55 = ri_55 <= N suchthat defined(r_2[ri_54, ri_55], z_6[ri_54, ri_55], sk[ri_55], sk[i1_2[ri_54, ri_55]], pkE_12[ri_54, ri_55], pkS_1[ri_54, ri_55]) && (pkS = pkS_1[ri_54, ri_55]) && (i = i1_2[ri_54, ri_55]) && (pkE_3 = pkE_12[ri_54, ri_55]) && (exp(g, mult(sk, sk')) = exp(g, mult(sk[i1_2[ri_54, ri_55]], sk[ri_55]))) && (exp(g, mult(sk, z_1)) = exp(g, mult(sk[i1_2[ri_54, ri_55]], z_6[ri_54, ri_55]))) then - zz_3: eae_output_t <- r_2[u_54, u_55]; - return(AuthEncap_tuple(r_2[u_54, u_55], enc_2)) - orfind u_52 = ri_52 <= Qdperuser suchthat defined(r_3[ri_52], pkE_5[ri_52], pk_S[ri_52]) && {199}((pkS = pk_S[ri_52]) && (i = i) && (pkE_3 = pkE_5[ri_52])) then - u_53 <= N <- i; - zz_3: eae_output_t <- r_3[u_52]; - return(AuthEncap_tuple(r_3[u_52], enc_2)) - orfind u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - {471} find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && {484}((pkS_1 = pk_S[ri_42, i1_2]) && (i1_2 = i1_2) && (pkE_12 = pkE_5[ri_42, i1_2])) then - u_43 <= N <- i1_2; - return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) - orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && {1004}((pk_S = pk_S[ri_22]) && (i = i) && (pkE_5 = pkE_5[ri_22])) then - u_23 <= N <- i; - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- cst_eae_input_t; - find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- cst_eae_input_t; - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying simplify [probability (#OADecap * Qcperuser + #OAEncap * Qdperuser) * PCollKey] - - Simplification pass - - Replaced ((pk_S = pk_S[ri_22]) && (i = i) && (pkE_5 = pkE_5[ri_22])) with ((pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22])) at 1004 - - Replaced ((pkS_1 = pk_S[ri_42, i1_2]) && (i1_2 = i1_2) && (pkE_12 = pkE_5[ri_42, i1_2])) with false at 484 - - Remove branch 1 in find at 471 - - Replaced ((pkS = pk_S[ri_52]) && (i = i) && (pkE_3 = pkE_5[ri_52])) with false at 199 - - Remove branch 2 in find at 97 -yields - -Game 26 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O: eae_input_t <- eae_input(lbytes_empty, key, info); - find [unique] u_54 = ri_54 <= Qeperuser, u_55 = ri_55 <= N suchthat defined(r_2[ri_54, ri_55], z_6[ri_54, ri_55], sk[ri_55], sk[i1_2[ri_54, ri_55]], pkE_12[ri_54, ri_55], pkS_1[ri_54, ri_55]) && (pkS = pkS_1[ri_54, ri_55]) && (i = i1_2[ri_54, ri_55]) && (pkE_3 = pkE_12[ri_54, ri_55]) && (exp(g, mult(sk, sk')) = exp(g, mult(sk[i1_2[ri_54, ri_55]], sk[ri_55]))) && (exp(g, mult(sk, z_1)) = exp(g, mult(sk[i1_2[ri_54, ri_55]], z_6[ri_54, ri_55]))) then - zz_3: eae_output_t <- r_2[u_54, u_55]; - return(AuthEncap_tuple(r_2[u_54, u_55], enc_2)) - orfind u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - u_23 <= N <- i; - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- cst_eae_input_t; - find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- cst_eae_input_t; - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying move all binders - - Move assignment to x_O_5 - - Move assignment to x_O_4 - - Move assignment to x_O_3 - - Move assignment to info_2 - - Move assignment to key_2 - - Move assignment to kemContext_5 - - Move assignment to x_O_1 - - Move assignment to info_7 - - Move assignment to key_7 - - Move assignment to kemContext_13 - - Move assignment to x_O_2 - - Move assignment to info_6 - - Move assignment to key_6 - - Move assignment to kemContext_12 - - Move assignment to x_O - - Move assignment to info - - Move assignment to key - - Move assignment to kemContext_3 -yields - -Game 27 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - find [unique] u_54 = ri_54 <= Qeperuser, u_55 = ri_55 <= N suchthat defined(r_2[ri_54, ri_55], z_6[ri_54, ri_55], sk[ri_55], sk[i1_2[ri_54, ri_55]], pkE_12[ri_54, ri_55], pkS_1[ri_54, ri_55]) && (pkS = pkS_1[ri_54, ri_55]) && (i = i1_2[ri_54, ri_55]) && (pkE_3 = pkE_12[ri_54, ri_55]) && (exp(g, mult(sk, sk')) = exp(g, mult(sk[i1_2[ri_54, ri_55]], sk[ri_55]))) && (exp(g, mult(sk, z_1)) = exp(g, mult(sk[i1_2[ri_54, ri_55]], z_6[ri_54, ri_55]))) then - zz_3: eae_output_t <- r_2[u_54, u_55]; - return(AuthEncap_tuple(r_2[u_54, u_55], enc_2)) - orfind u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); - pkR_2: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - u_23 <= N <- i; - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying remove assignments of findcond - - Remove assignments on dh_5 (definition removed, all usages removed) - - Remove assignments on u_23 (definition removed, all usages removed) - - Remove assignments on dh_13 (definition removed, all usages removed) - - Remove assignments on dh_12 (definition removed, all usages removed) - - Remove assignments on dh_3 (definition removed, all usages removed) -yields - -Game 28 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - find [unique] u_54 = ri_54 <= Qeperuser, u_55 = ri_55 <= N suchthat defined(r_2[ri_54, ri_55], z_6[ri_54, ri_55], sk[ri_55], sk[i1_2[ri_54, ri_55]], pkE_12[ri_54, ri_55], pkS_1[ri_54, ri_55]) && (pkS = pkS_1[ri_54, ri_55]) && (i = i1_2[ri_54, ri_55]) && (pkE_3 = pkE_12[ri_54, ri_55]) && (exp(g, mult(sk, sk')) = exp(g, mult(sk[i1_2[ri_54, ri_55]], sk[ri_55]))) && (exp(g, mult(sk, z_1)) = exp(g, mult(sk[i1_2[ri_54, ri_55]], z_6[ri_54, ri_55]))) then - zz_3: eae_output_t <- r_2[u_54, u_55]; - return(AuthEncap_tuple(r_2[u_54, u_55], enc_2)) - orfind u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - pkR_2: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying equivalence gdh(exp) with variables: sk -> a, z_1 -> b. [probability Adv_GDH(time(context for game 28) + time + (1 + #Ochall + N) * time(exp), 2 * Qh * Qdperuser + N * #OAEncap + 3 * Qh * N + 2 * Qeperuser * #Ochall) + (#Ochall + N) * PDistRerandom + (#Ochall * Qcperuser + N * N + 2 * #OAEncap * Qeperuser) * PCollKey] - - Equivalence gdh(exp) with variables: sk -> a, z_1 -> b. -yields - -Game 29 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - {41} find [unique] u_54 = ri_54 <= Qeperuser, u_55 = ri_55 <= N suchthat defined(r_2[ri_54, ri_55], z_6[ri_54, ri_55], sk[ri_55], sk[i1_2[ri_54, ri_55]], pkE_12[ri_54, ri_55], pkS_1[ri_54, ri_55]) && (pkS = pkS_1[ri_54, ri_55]) && (i = i1_2[ri_54, ri_55]) && (pkE_3 = pkE_12[ri_54, ri_55]) && (m_7: G_t <- (x_3: Z_t <- sk'; exp(g, mult(sk, x_3))); (m_7 = exp(g, mult(sk[i1_2[ri_54, ri_55]], sk[ri_55])))) && (m_2: G_t <- (x: Z_t <- z_6[ri_54, ri_55]; exp(g, mult(sk[i1_2[ri_54, ri_55]], x))); false) then - zz_3: eae_output_t <- r_2[u_54, u_55]; - return(AuthEncap_tuple(r_2[u_54, u_55], enc_2)) - orfind u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && ((x_4: Z_t <- sk'; exp(g, mult(sk, x_4))) = dh2[ri_51]) && (m_9: G_t <- dh1[ri_51]; false) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_3: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_2)) - else - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (m_11: G_t <- pk_R; m'_2: G_t <- g; (m_11 = exp(m'_2, sk[i1_3]))) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m_16: G_t <- dh2[ri_41]; (m_16 = exp(g, mult(sk[i1_2], sk)))) && ((x_5: Z_t <- z_6; exp(g, mult(sk[i1_2], x_5))) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (m_10: G_t <- dh2[ri_31]; m'_1: G_t <- pk_R; (m_10 = exp(m'_1, sk))) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - pkR_2: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_18: G_t <- dh2[ri_21]; m'_4: G_t <- pk_S; (m_18 = exp(m'_4, sk))) && (m_17: G_t <- dh1[ri_21]; m'_3: G_t <- pkE_5; (m_17 = exp(m'_3, sk))) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - {878} find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], sk[ri_19], sk'[ri_18, ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = (x_6: Z_t <- sk'[ri_18, ri_19]; exp(g, mult(sk[ri_19], x_6)))) && (m_20: G_t <- dh1; false) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_21: G_t <- dh2; m'_5: G_t <- pk_R[ri_16, ri_17]; (m_21 = exp(m'_5, sk[ri_17]))) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_26: G_t <- dh2; (m_26 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15])))) && (dh1 = (x_7: Z_t <- z_6[ri_14, ri_15]; exp(g, mult(sk[i1_2[ri_14, ri_15]], x_7)))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_28: G_t <- dh2; m'_7: G_t <- pk_S[ri_12, ri_13]; (m_28 = exp(m'_7, sk[ri_13]))) && (m_27: G_t <- dh1; m'_6: G_t <- pkE_5[ri_12, ri_13]; (m_27 = exp(m'_6, sk[ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying expand - - Expand if/find/let - - Remove branch 1 in find at 878 - - Remove branch 2 in find at 41 - - Remove branch 1 in find at 41 - - Find at 41 removed (else branch kept if any) -yields - -Game 30 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - pkR_1: G_t <- exp(g, sk); - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - enc_2: bitstring <- Serialize(pkE_3); - pkS: G_t <- exp(g, sk'); - r <-R eae_output_t; - zz_3: eae_output_t <- r; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (m_11: G_t <- pk_R; m'_2: G_t <- g; (m_11 = exp(m'_2, sk[i1_3]))) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (m_16: G_t <- dh2[ri_41]; x_5: Z_t <- z_6; ((pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m_16 = exp(g, mult(sk[i1_2], sk))) && (exp(g, mult(sk[i1_2], x_5)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]))) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (m_10: G_t <- dh2[ri_31]; m'_1: G_t <- pk_R; ((pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (m_10 = exp(m'_1, sk)) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]))) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(zz_3[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - pkR_2: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (m_18: G_t <- dh2[ri_21]; m'_4: G_t <- pk_S; m_17: G_t <- dh1[ri_21]; m'_3: G_t <- pkE_5; ((pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_18 = exp(m'_4, sk)) && (m_17 = exp(m'_3, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]))) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (m_21: G_t <- dh2; m'_5: G_t <- pk_R[ri_16, ri_17]; ((pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_21 = exp(m'_5, sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (m_26: G_t <- dh2; x_7: Z_t <- z_6[ri_14, ri_15]; ((pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_26 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], x_7))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (m_28: G_t <- dh2; m'_7: G_t <- pk_S[ri_12, ri_13]; m_27: G_t <- dh1; m'_6: G_t <- pkE_5[ri_12, ri_13]; ((pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_28 = exp(m'_7, sk[ri_13])) && (m_27 = exp(m'_6, sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying remove assignments of findcond - - Remove assignments on m_21 (definition removed, all usages removed) - - Remove assignments on m'_5 (definition removed, all usages removed) - - Remove assignments on m_26 (definition removed, all usages removed) - - Remove assignments on x_7 (definition removed, all usages removed) - - Remove assignments on m_28 (definition removed, all usages removed) - - Remove assignments on m'_7 (definition removed, all usages removed) - - Remove assignments on m_27 (definition removed, all usages removed) - - Remove assignments on m'_6 (definition removed, all usages removed) - - Remove assignments on m_18 (definition removed, all usages removed) - - Remove assignments on m'_4 (definition removed, all usages removed) - - Remove assignments on m_17 (definition removed, all usages removed) - - Remove assignments on m'_3 (definition removed, all usages removed) - - Remove assignments on m_10 (definition removed, all usages removed) - - Remove assignments on m'_1 (definition removed, all usages removed) - - Remove assignments on m_16 (definition removed, all usages removed) - - Remove assignments on x_5 (definition removed, all usages removed) - - Remove assignments on m_11 (definition removed, all usages removed) - - Remove assignments on m'_2 (definition removed, all usages removed) - - Remove assignments on pkR_1 (definition removed, all usages removed) - - Remove assignments on pkS (definition removed, all usages removed) - - Remove assignments on zz_3 (definition removed, all usages removed) -yields - -Game 31 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - enc_2: bitstring <- Serialize(pkE_3); - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (dh2[ri_41] = exp(g, mult(sk[i1_2], sk))) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (dh2[ri_31] = exp(pk_R, sk)) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - {345} find ic_2 = ic_3 <= Qcperuser suchthat defined(r[ic_3], r[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(r[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - pkR_2: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (dh2[ri_21] = exp(pk_S, sk)) && (dh1[ri_21] = exp(pkE_5, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition r[ic_3], r[ic_3], sk'[ic_3], enc_2[ic_3] with r[ic_3], sk'[ic_3], enc_2[ic_3] in find at 345 -yields - -Game 32 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ic <= Qcperuser do - Ochall(sk': Z_t) := - z_1 <-R Z_t; - pkE_3: G_t <- exp(g, z_1); - enc_2: bitstring <- Serialize(pkE_3); - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_2)) - ) | ( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then - z_6 <-R Z_t; - pkE_12: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_12); - pkS_1: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (dh2[ri_41] = exp(g, mult(sk[i1_2], sk))) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_9)) - else - r_2 <-R eae_output_t; - return(AuthEncap_tuple(r_2, enc_9)) - else - z_7 <-R Z_t; - pkE_13: G_t <- exp(g, z_7); - enc_10: bitstring <- Serialize(pkE_13); - pkS_1: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (dh2[ri_31] = exp(pk_R, sk)) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - return(AuthEncap_tuple(r_4[u_31], enc_10)) - else - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_10)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, cd: bitstring) := - find ic_2 = ic_3 <= Qcperuser suchthat defined(r[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then - return(AuthDecap_Some(r[ic_2])) - else - let Serialize(pkE_5: G_t) = cd in - pkR_2: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then - return(AuthDecap_Some(r_3[u_22])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (dh2[ri_21] = exp(pk_S, sk)) && (dh1[ri_21] = exp(pkE_5, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - -Initial state -Game 33 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - {19} let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (pkR_4: G_t <- exp(g, sk_1); {25}let (skE_6: Z_t, pkE_9: G_t) = (z_4 <-R Z_t; (z_4, exp(g, z_4))) in dh_9: GG_t <- concatDH(exp(pkR_4, skE_6), exp(pkR_4, sk'_1)); enc_7: bitstring <- Serialize(pkE_9); pkS_3: G_t <- exp(g, sk'_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pkS_3); zz_9: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3))); AuthEncap_tuple(zz_9, enc_7) else AuthEncap_None) in - k' <-R eae_output_t; - return(AuthEncap_tuple(k', ce)) - else - return(AuthEncap_None) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - return({132}(let (skE_7: Z_t, pkE_10: G_t) = (z_5 <-R Z_t; (z_5, exp(g, z_5))) in dh_10: GG_t <- concatDH(exp(pk_R_1, skE_7), exp(pk_R_1, sk_1)); enc_8: bitstring <- Serialize(pkE_10); pkS_4: G_t <- exp(g, sk_1); kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); zz_10: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4))); AuthEncap_tuple(zz_10, enc_8) else AuthEncap_None)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(ce[ic1, i1], k'[ic1, i1], sk'_1[ic1, i1], sk_1[i1]) && (ce[ic1, i1] = cd_1) && ((exponent_15: Z_t <- sk'_1[ic1, i1]; exp(g, exponent_15)) = pk_S_1) && ((exponent_16: Z_t <- sk_1[i1]; exp(g, exponent_16)) = exp(g, sk_1)) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - return((skR_1: Z_t <- sk_1; let Serialize(pkE_11: G_t) = cd_1 in dh_11: GG_t <- concatDH(exp(pkE_11, skR_1), exp(pk_S_1, skR_1)); pkR_5: G_t <- exp(g, skR_1); kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); zz_11: eae_output_t <- (key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5))); AuthDecap_Some(zz_11) else AuthDecap_None)) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern (skE_7: Z_t, pkE_10: G_t) (tuple expanded) at 132 - - Remove else branch of let at 132 - - Simplify pattern (skE_6: Z_t, pkE_9: G_t) (tuple expanded) at 25 - - Remove else branch of let at 25 - - Simplify pattern AuthEncap_tuple(k: eae_output_t, ce: bitstring) (tuple expanded) at 19 - - Remove else branch of let at 19 -yields - -Game 34 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - pkR_4: G_t <- exp(g, sk_1); - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - skE_6: Z_t <- z_4; - dh_9: GG_t <- concatDH(exp(pkR_4, skE_6), exp(pkR_4, sk'_1)); - enc_7: bitstring <- Serialize(pkE_9); - pkS_3: G_t <- exp(g, sk'_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pkS_3); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - ce: bitstring <- enc_7; - k: eae_output_t <- zz_9; - k' <-R eae_output_t; - return(AuthEncap_tuple(k', ce)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - skE_7: Z_t <- z_5; - dh_10: GG_t <- concatDH(exp(pk_R_1, skE_7), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(ce[ic1, i1], k'[ic1, i1], sk'_1[ic1, i1], sk_1[i1]) && (exponent_15: Z_t <- sk'_1[ic1, i1]; exponent_16: Z_t <- sk_1[i1]; ((ce[ic1, i1] = cd_1) && (exp(g, exponent_15) = pk_S_1) && (exp(g, exponent_16) = exp(g, sk_1)))) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - skR_1: Z_t <- sk_1; - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, skR_1), exp(pk_S_1, skR_1)); - pkR_5: G_t <- exp(g, skR_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR_1 (definition removed, all usages removed) - - Remove assignments on exponent_15 (definition removed, all usages removed) - - Remove assignments on exponent_16 (definition removed, all usages removed) - - Remove assignments on skE_7 (definition removed, all usages removed) - - Remove assignments on skE_6 (definition removed, all usages removed) - - Remove assignments on ce (definition removed, all usages removed) - - Remove assignments on k (definition removed, all usages removed) - - Remove assignments on zz_9 (definition removed, all usages removed) - - Remove assignments on key_3 (definition removed, all usages removed) - - Remove assignments on info_3 (definition removed, all usages removed) - - Remove assignments on dh_9 (definition removed, all usages removed) - - Remove assignments on kemContext_9 (definition removed, all usages removed) - - Remove assignments on pkR_4 (definition removed, all usages removed) - - Remove assignments on pkS_3 (definition removed, all usages removed) -yields - -Game 35 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - {142} find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(enc_7[ic1, i1], enc_7[ic1, i1], k'[ic1, i1], sk'_1[ic1, i1], sk_1[i1]) && (enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1)) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition enc_7[ic1, i1], enc_7[ic1, i1], k'[ic1, i1], sk'_1[ic1, i1], sk_1[i1] with k'[ic1, i1], sk_1[i1], sk'_1[ic1, i1], enc_7[ic1, i1] in find at 142 -yields - -Game 36 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - {48} z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(k'[ic1, i1], sk_1[i1], sk'_1[ic1, i1], enc_7[ic1, i1]) && (enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1)) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying insert instruction find i2 <= N suchthat - defined(sk_1[i2]) - && pk_R_1 = exp(g, sk_1[i2]) then at occurrence 48 -yields - -Game 37 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(k'[ic1, i1], sk_1[i1], sk'_1[ic1, i1], enc_7[ic1, i1]) && (enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1)) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - {380} return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying insert instruction let eae_input( - salt: extract_salt_t, - concatExtract( - protocol1: label_protocol_t, - suite1: suite_id_t, - label1: label_extract_t, - concatDH(dh1: G_t, dh2: G_t)), - concatExpand(l: two_byte_t, - protocol2: label_protocol_t, - suite2: suite_id_t, - label2: label_expand_t, - concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in at occurrence 380 -yields - -Game 38 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(k'[ic1, i1], sk_1[i1], sk'_1[ic1, i1], enc_7[ic1, i1]) && (enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1)) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - else - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying equivalence rom(ExtractAndExpand_inner) - - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_10 -> hk -yields - -Game 39 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {128}find [unique] u_98 = ri_98 <= Qeperuser, u_99 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && (x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_98, u_99] orfind u_96 = ri_96 <= Qeperuser, u_97 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_96, u_97] orfind u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_94, u_95] orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_93] orfind u_92 = ri_92 <= Qh suchthat defined(x_O_10[ri_92], r_10[ri_92]) && {197}(x_O_7 = x_O_10[ri_92]) then r_10[u_92] else r_7 <-R eae_output_t; r_7); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {300}find [unique] u_90 = ri_90 <= Qeperuser, u_91 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_90, u_91] orfind u_88 = ri_88 <= Qeperuser, u_89 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && (x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_88, u_89] orfind u_86 = ri_86 <= Qdperuser, u_87 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_86, u_87] orfind u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_85] orfind u_84 = ri_84 <= Qh suchthat defined(x_O_10[ri_84], r_10[ri_84]) && {369}(x_O_6 = x_O_10[ri_84]) then r_10[u_84] else r_6 <-R eae_output_t; r_6); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(k'[ic1, i1], sk_1[i1], sk'_1[ic1, i1], enc_7[ic1, i1]) && (enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1)) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {513}find [unique] u_82 = ri_82 <= Qeperuser, u_83 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_82, u_83] orfind u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_80, u_81] orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_78, u_79] orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_77] orfind u_76 = ri_76 <= Qh suchthat defined(x_O_10[ri_76], r_10[ri_76]) && {582}(x_O_8 = x_O_10[ri_76]) then r_10[u_76] else r_8 <-R eae_output_t; r_8); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return((x_O_9: eae_input_t <- x1_1; {633}find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_74, u_75] orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_72, u_73] orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_70, u_71] orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_69] orfind u_68 = ri_68 <= Qh suchthat defined(x_O_10[ri_68], r_10[ri_68]) && {691}(x_O_9 = x_O_10[ri_68]) then r_10[u_68] else r_9 <-R eae_output_t; r_9)) - else - return((x_O_10: eae_input_t <- x1_1; {708}find [unique] u_66 = ri_66 <= Qeperuser, u_67 = ri_67 <= N suchthat defined(x_O_6[ri_66, ri_67], r_6[ri_66, ri_67]) && {713}(x_O_10 = x_O_6[ri_66, ri_67]) then r_6[u_66, u_67] orfind u_64 = ri_64 <= Qeperuser, u_65 = ri_65 <= N suchthat defined(x_O_7[ri_64, ri_65], r_7[ri_64, ri_65]) && {728}(x_O_10 = x_O_7[ri_64, ri_65]) then r_7[u_64, u_65] orfind u_62 = ri_62 <= Qdperuser, u_63 = ri_63 <= N suchthat defined(x_O_8[ri_62, ri_63], r_8[ri_62, ri_63]) && {743}(x_O_10 = x_O_8[ri_62, ri_63]) then r_8[u_62, u_63] orfind u_61 = ri_61 <= Qh suchthat defined(x_O_9[ri_61], r_9[ri_61]) && {756}(x_O_10 = x_O_9[ri_61]) then r_9[u_61] orfind u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_60] else r_10 <-R eae_output_t; r_10)) - )) - - -Applying simplify (non-expanded game) [probability N * N * PCollKey] - - Simplification pass - - Replaced (x_O_7 = x_O_10[ri_92]) with false at 197 - - Remove branch 5 in find at 128 - - Replaced (x_O_6 = x_O_10[ri_84]) with false at 369 - - Remove branch 5 in find at 300 - - Replaced (x_O_8 = x_O_10[ri_76]) with false at 582 - - Remove branch 5 in find at 513 - - Replaced (x_O_9 = x_O_10[ri_68]) with false at 691 - - Remove branch 5 in find at 633 - - Replaced (x_O_10 = x_O_9[ri_61]) with false at 756 - - Remove branch 4 in find at 708 - - Replaced (x_O_10 = x_O_8[ri_62, ri_63]) with false at 743 - - Remove branch 3 in find at 708 - - Replaced (x_O_10 = x_O_7[ri_64, ri_65]) with false at 728 - - Remove branch 2 in find at 708 - - Replaced (x_O_10 = x_O_6[ri_66, ri_67]) with false at 713 - - Remove branch 1 in find at 708 -yields - -Game 40 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {128}find [unique] u_98 = ri_98 <= Qeperuser, u_99 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && (x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_98, u_99] orfind u_96 = ri_96 <= Qeperuser, u_97 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_96, u_97] orfind u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_94, u_95] orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_93] else r_7 <-R eae_output_t; r_7); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {288}find [unique] u_90 = ri_90 <= Qeperuser, u_91 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_90, u_91] orfind u_88 = ri_88 <= Qeperuser, u_89 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && (x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_88, u_89] orfind u_86 = ri_86 <= Qdperuser, u_87 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_86, u_87] orfind u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_85] else r_6 <-R eae_output_t; r_6); - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(k'[ic1, i1], sk_1[i1], sk'_1[ic1, i1], enc_7[ic1, i1]) && (enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1)) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {489}find [unique] u_82 = ri_82 <= Qeperuser, u_83 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_82, u_83] orfind u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_80, u_81] orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_78, u_79] orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_77] else r_8 <-R eae_output_t; r_8); - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return((x_O_9: eae_input_t <- x1_1; find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_74, u_75] orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_72, u_73] orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_70, u_71] orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_69] else r_9 <-R eae_output_t; r_9)) - else - return((x_O_10: eae_input_t <- x1_1; find [unique] u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_60] else r_10 <-R eae_output_t; r_10)) - )) - - -Applying expand [probability (#OAEncap * Qeperuser + #OAEncap * N + N * N) * PCollKey] - - Expand if/find/let - - Remove branch 1 in find at 489 - - Remove branch 3 in find at 288 - - Remove branch 2 in find at 288 - - Remove branch 1 in find at 288 - - Remove branch 2 in find at 128 - - Remove branch 1 in find at 128 -yields - -Game 41 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then - zz_10: eae_output_t <- r_8[u_94, u_95]; - return(AuthEncap_tuple(zz_10, enc_8)) - orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then - zz_10: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(zz_10, enc_8)) - else - r_7 <-R eae_output_t; - zz_10: eae_output_t <- r_7; - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then - zz_10: eae_output_t <- r_9[u_85]; - return(AuthEncap_tuple(zz_10, enc_8)) - else - r_6 <-R eae_output_t; - zz_10: eae_output_t <- r_6; - return(AuthEncap_tuple(zz_10, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(k'[ic1, i1], sk_1[i1], sk'_1[ic1, i1], enc_7[ic1, i1]) && (enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1)) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then - zz_11: eae_output_t <- r_7[u_80, u_81]; - return(AuthDecap_Some(zz_11)) - orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then - zz_11: eae_output_t <- r_8[u_78, u_79]; - return(AuthDecap_Some(zz_11)) - orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then - zz_11: eae_output_t <- r_9[u_77]; - return(AuthDecap_Some(zz_11)) - else - r_8 <-R eae_output_t; - zz_11: eae_output_t <- r_8; - return(AuthDecap_Some(zz_11)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- x1_1; - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- x1_1; - find [unique] u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_O_10 (definition point kept, all usages removed) - - Remove assignments on x_O_9 (definition point kept, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition removed, all usages removed) -yields - -Game 42 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- {65}concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - {127} find [unique] u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && {132}(x_O_7 = x_O_8[ri_94, ri_95]) then - return(AuthEncap_tuple(r_8[u_94, u_95], enc_8)) - orfind u_93 = ri_93 <= Qh suchthat defined(x1_1[ri_93], x_O_9[ri_93], r_9[ri_93]) && {156}(x_O_7 = x1_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_8)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - {262} find [unique] u_85 = ri_85 <= Qh suchthat defined(x1_1[ri_85], x_O_9[ri_85], r_9[ri_85]) && {266}(x_O_6 = x1_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_8)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - {306} find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(k'[ic1, i1], sk_1[i1], sk'_1[ic1, i1], enc_7[ic1, i1]) && {314}((enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1))) then - return(AuthDecap_Some(k'[ic1_1, i1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - {413} find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && {418}(x_O_8 = x_O_7[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && {440}(x_O_8 = x_O_8[ri_78, ri_79]) then - return(AuthDecap_Some(r_8[u_78, u_79])) - orfind u_77 = ri_77 <= Qh suchthat defined(x1_1[ri_77], x_O_9[ri_77], r_9[ri_77]) && {461}(x_O_8 = x1_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- cst_eae_input_t; - {510} find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && {515}(x1_1 = x_O_6[ri_74, ri_75]) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && {533}(x1_1 = x_O_7[ri_72, ri_73]) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && {551}(x1_1 = x_O_8[ri_70, ri_71]) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(x1_1[ri_69], x_O_9[ri_69], r_9[ri_69]) && {568}(x1_1 = x1_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- cst_eae_input_t; - {588} find [unique] u_60 = ri_60 <= Qh suchthat defined(x1_1[ri_60], x_O_10[ri_60], r_10[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying simplify [probability 4 * N * N * PCollKey] - - Simplification pass - - Replaced defined condition x1_1[ri_60], x_O_10[ri_60], r_10[ri_60] with r_10[ri_60], x1_1[ri_60] in find at 588 - - Replaced (x1_1 = x1_1[ri_69]) with ((pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69])) at 568 - - Replaced defined condition x1_1[ri_69], x_O_9[ri_69], r_9[ri_69] with r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69] in find at 510 - - Replaced (x1_1 = x_O_8[ri_70, ri_71]) with ((pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 551 - - Replaced defined condition x_O_8[ri_70, ri_71], r_8[ri_70, ri_71] with r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71] in find at 510 - - Replaced (x1_1 = x_O_7[ri_72, ri_73]) with ((pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 533 - - Replaced defined condition x_O_7[ri_72, ri_73], r_7[ri_72, ri_73] with r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_1598[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73] in find at 510 - - Replaced (x1_1 = x_O_6[ri_74, ri_75]) with ((pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 515 - - Replaced defined condition x_O_6[ri_74, ri_75], r_6[ri_74, ri_75] with r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75] in find at 510 - - Replaced (x_O_8 = x1_1[ri_77]) with ((pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77])) at 461 - - Replaced defined condition x1_1[ri_77], x_O_9[ri_77], r_9[ri_77] with r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77] in find at 413 - - Replaced (x_O_8 = x_O_8[ri_78, ri_79]) with ((pk_S_1 = pk_S_1[ri_78, ri_79]) && (i_1 = ri_79) && (pkE_11 = pkE_11[ri_78, ri_79])) at 440 - - In branch 2 of find at 413, substituting u_79 with i_1 - - Replaced defined condition x_O_8[ri_78, ri_79], r_8[ri_78, ri_79] with r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78] in find at 413 - - Replaced (x_O_8 = x_O_7[ri_80, ri_81]) with ((pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_1598[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81])) at 418 - - Replaced defined condition x_O_7[ri_80, ri_81], r_7[ri_80, ri_81] with r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_1598[ri_80, ri_81], pkS_4[ri_80, ri_81] in find at 413 - - Replaced ((enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1))) with ((enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (i1 = i_1)) at 314 - - In branch 1 of find at 306, substituting i1_1 with i_1 - - Replaced defined condition k'[ic1, i1], sk_1[i1], sk'_1[ic1, i1], enc_7[ic1, i1] with k'[ic1], sk'_1[ic1], enc_7[ic1] in find at 306 - - Replaced (x_O_6 = x1_1[ri_85]) with ((pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85])) at 266 - - Replaced defined condition x1_1[ri_85], x_O_9[ri_85], r_9[ri_85] with r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85] in find at 262 - - Replaced concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)) with concatDH(exp(g, mult(sk_1[i2_1598], z_5)), exp(g, mult(sk_1[i2_1598], sk_1))) at 65 - - Replaced (x_O_7 = x1_1[ri_93]) with ((pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93])) at 156 - - Replaced defined condition x1_1[ri_93], x_O_9[ri_93], r_9[ri_93] with r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93] in find at 127 - - Replaced (x_O_7 = x_O_8[ri_94, ri_95]) with ((pkS_4 = pk_S_1[ri_94, ri_95]) && (i2_1598 = ri_95) && (pkE_10 = pkE_11[ri_94, ri_95])) at 132 - - In branch 1 of find at 127, substituting u_95 with i2_1598 - - Replaced defined condition x_O_8[ri_94, ri_95], r_8[ri_94, ri_95] with r_8[ri_94, i2_1598], pkE_11[ri_94, i2_1598], pk_S_1[ri_94, i2_1598] in find at 127 -yields - -Game 43 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk_1[i2_1598], z_5)), exp(g, mult(sk_1[i2_1598], sk_1))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - {133} find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_1598], pkE_11[ri_94, i2_1598], pk_S_1[ri_94, i2_1598]) && {146}((pkS_4 = pk_S_1[ri_94, i2_1598]) && (i2_1598 = i2_1598) && (pkE_10 = pkE_11[ri_94, i2_1598])) then - u_95 <= N <- i2_1598; - return(AuthEncap_tuple(r_8[u_94, i2_1598], enc_8)) - orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_8)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_8)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && {532}((enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) && (i_1 = i_1)) then - i1_1 <= N <- i_1; - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_1598[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_1598[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && {673}((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_11 = pkE_11[ri_78])) then - u_79 <= N <- i_1; - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- cst_eae_input_t; - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_1598[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- cst_eae_input_t; - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying simplify [probability #OAEncap * Qdperuser * PCollKey] - - Simplification pass - - Replaced ((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_11 = pkE_11[ri_78])) with ((pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78])) at 673 - - Replaced ((enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) && (i_1 = i_1)) with ((enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1)) at 532 - - Replaced ((pkS_4 = pk_S_1[ri_94, i2_1598]) && (i2_1598 = i2_1598) && (pkE_10 = pkE_11[ri_94, i2_1598])) with false at 146 - - Remove branch 1 in find at 133 -yields - -Game 44 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk_1[i2_1598], z_5)), exp(g, mult(sk_1[i2_1598], sk_1))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_8)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_8)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - i1_1 <= N <- i_1; - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_1598[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_1598[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then - u_79 <= N <- i_1; - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- cst_eae_input_t; - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_1598[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- cst_eae_input_t; - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying move all binders - - Move assignment to x_O_10 - - Move assignment to x_O_9 - - Move assignment to x_O_8 - - Move assignment to info_5 - - Move assignment to key_5 - - Move assignment to kemContext_11 - - Move assignment to x_O_6 - - Move assignment to info_4 - - Move assignment to key_4 - - Move assignment to kemContext_10 - - Move assignment to x_O_7 - - Move assignment to info_4 - - Move assignment to key_4 - - Move assignment to kemContext_10 -yields - -Game 45 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk_1[i2_1598], z_5)), exp(g, mult(sk_1[i2_1598], sk_1))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_8)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_8)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - i1_1 <= N <- i_1; - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); - pkR_5: G_t <- exp(g, sk_1); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_1598[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_1598[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then - u_79 <= N <- i_1; - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_1598[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying remove assignments of findcond - - Remove assignments on dh_11 (definition removed, all usages removed) - - Remove assignments on u_79 (definition removed, all usages removed) - - Remove assignments on i1_1 (definition removed, all usages removed) - - Remove assignments on dh_10 (definition removed, all usages removed) - - Remove assignments on dh_10 (definition removed, all usages removed) -yields - -Game 46 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_8)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_8)) - else - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_8)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - pkR_5: G_t <- exp(g, sk_1); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_1598[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_1598[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_1598[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying SA rename z_5 - - Rename variable z_5 into z_9, z_8 -yields - -Game 47 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_8 <-R Z_t; - pkE_10: G_t <- exp(g, z_8); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_8)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_8)) - else - z_9 <-R Z_t; - pkE_10: G_t <- exp(g, z_9); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_8)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_8)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - pkR_5: G_t <- exp(g, sk_1); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_1598[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_1598[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_1598[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying SA rename enc_8 - - Rename variable enc_8 into enc_12, enc_11 -yields - -Game 48 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_8 <-R Z_t; - pkE_10: G_t <- exp(g, z_8); - enc_11: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_11)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_11)) - else - z_9 <-R Z_t; - pkE_10: G_t <- exp(g, z_9); - enc_12: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_12)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_12)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - pkR_5: G_t <- exp(g, sk_1); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_1598[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_1598[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_1598[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying SA rename pkE_10 - - Rename variable pkE_10 into pkE_15, pkE_14 -yields - -Game 49 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ic_1 <= Qcperuser do - Ochall(sk'_1: Z_t) := - z_4 <-R Z_t; - pkE_9: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_9); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - ) | ( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i2_1598 = i2_1599 <= N suchthat defined(sk_1[i2_1599]) && (pk_R_1 = exp(g, sk_1[i2_1599])) then - z_8 <-R Z_t; - pkE_14: G_t <- exp(g, z_8); - enc_11: bitstring <- Serialize(pkE_14); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_14 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_1598], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - return(AuthEncap_tuple(r_9[u_93], enc_11)) - else - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_11)) - else - z_9 <-R Z_t; - pkE_15: G_t <- exp(g, z_9); - enc_12: bitstring <- Serialize(pkE_15); - pkS_4: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_15 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_12)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_12)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd_1: bitstring) := - find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then - return(AuthDecap_Some(k'[ic1_1])) - else - let Serialize(pkE_11: G_t) = cd_1 in - pkR_5: G_t <- exp(g, sk_1); - find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_14[ri_80, ri_81], i2_1598[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_1598[ri_80, ri_81]) && (pkE_11 = pkE_14[ri_80, ri_81]) then - return(AuthDecap_Some(r_7[u_80, u_81])) - orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_15[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_15[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_1598[ri_72, ri_73]], pkE_14[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_14[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_1598[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Proved indistinguishability between game 49 and game 1 -Game 49 is the same as game 32. -Adv[Game 1: indistinguishability from game 32] <= Adv_GDH(time_1, 2 * Qh * Qdperuser + N * #OAEncap + 3 * Qh * N + 2 * Qeperuser * #Ochall) + (N + #Ochall) * PDistRerandom + (#OAEncap * Qdperuser + #OADecap * Qcperuser + #OAEncap * Qcperuser + #OAEncap * N + 6 * #OAEncap * Qeperuser + 2 * #Ochall * Qcperuser + 11 * N * N) * PCollKey + Adv[Game 32: indistinguishability from game 32] -Adv[Game 32: indistinguishability from game 32] <= 0 -Adv[Game 33: indistinguishability from game 49] <= (#OAEncap * Qdperuser + #OAEncap * N + #OAEncap * Qeperuser + 6 * N * N) * PCollKey + Adv[Game 49: indistinguishability from game 49] -Adv[Game 49: indistinguishability from game 49] <= 0 -RESULT Proved indistinguishability between game 33 and game 1 up to probability Adv_GDH(time_1, 2 * Qh * Qdperuser + N * #OAEncap + 3 * Qh * N + 2 * Qeperuser * #Ochall) + (N + #Ochall) * PDistRerandom + (2 * #OAEncap * Qdperuser + #OADecap * Qcperuser + #OAEncap * Qcperuser + 2 * #OAEncap * N + 7 * #OAEncap * Qeperuser + 2 * #Ochall * Qcperuser + 17 * N * N) * PCollKey -RESULT time_1 = time(context for game 28) + time + (1 + #Ochall + N) * time(exp) -RESULT time(context for game 28) = (#Ochall + #OAEncap) * time(Serialize) + (#Ochall + #OAEncap + #OADecap * Qcperuser + 2 * Qh * #OAEncap) * time(exp) + #Ochall * time(AuthEncap_tuple, maxlength(game 28: enc_2)) + #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_9)) + #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_10)) + #OADecap * Qcperuser * time(= bitstring, maxlength(game 28: enc_2), maxlength(game 28: cd)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (2 * Qh * #Ochall + 3 * Qh * #OAEncap + 2 * Qh * #OADecap) * time(I2OSP2) -All queries proved. +Initial state +Game 1 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + return((pkR_1: G_t <- exp(g, sk); {26}let (skE_2: Z_t, pkE_3: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_3: GG_t <- concatDH(exp(pkR_1, skE_2), exp(pkR_1, sk')); enc_2: bitstring <- Serialize(pkE_3); pkS: G_t <- exp(g, sk'); kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); zz_3: eae_output_t <- (key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info))); AuthEncap_tuple(zz_3, enc_2) else AuthEncap_None)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + return({119}(let (skE_3: Z_t, pkE_4: G_t) = (z_2 <-R Z_t; (z_2, exp(g, z_2))) in dh_4: GG_t <- concatDH(exp(pk_R, skE_3), exp(pk_R, sk)); enc_3: bitstring <- Serialize(pkE_4); pkS_1: G_t <- exp(g, sk); kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); zz_4: eae_output_t <- (key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1))); AuthEncap_tuple(zz_4, enc_3) else AuthEncap_None)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + return((skR: Z_t <- sk; let Serialize(pkE_5: G_t) = cd in dh_5: GG_t <- concatDH(exp(pkE_5, skR), exp(pk_S, skR)); pkR_2: G_t <- exp(g, skR); kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); zz_5: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2))); AuthDecap_Some(zz_5) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern (skE_3: Z_t, pkE_4: G_t) (tuple expanded) at 119 + - Remove else branch of let at 119 + - Simplify pattern (skE_2: Z_t, pkE_3: G_t) (tuple expanded) at 26 + - Remove else branch of let at 26 +yields + +Game 2 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + skE_2: Z_t <- z_1; + dh_3: GG_t <- concatDH(exp(pkR_1, skE_2), exp(pkR_1, sk')); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + skE_3: Z_t <- z_2; + dh_4: GG_t <- concatDH(exp(pk_R, skE_3), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + skR: Z_t <- sk; + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, skR), exp(pk_S, skR)); + pkR_2: G_t <- exp(g, skR); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR (definition removed, all usages removed) + - Remove assignments on skE_3 (definition removed, all usages removed) + - Remove assignments on skE_2 (definition removed, all usages removed) +yields + +Game 3 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- {32}concatDH(exp(pkR_1, z_1), exp(pkR_1, sk')); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced concatDH(exp(pkR_1, z_1), exp(pkR_1, sk')) with concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))) at 32 +yields + +Game 4 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + {217} let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying insert instruction find ic_1 = ic <= Qcperuser suchthat + defined(zz_3[ic], sk'[ic], enc_2[ic]) + && (enc_2[ic] = cd) + && (exp(g, sk'[ic]) = pk_S) + then at occurrence 217 +yields + +Game 5 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + {217} find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + {241} let Serialize(pkE_5: G_t) = {242}cd in + dh_5: GG_t <- {246}concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced cd with Serialize(pkE_3[ic_2]) at 242 + - Remove else branch of let at 241 + - Simplify pattern Serialize(pkE_5: G_t) (tuple expanded) at 241 + - Replaced concatDH(exp(pkE_5, sk), exp(pk_S, sk)) with concatDH(exp(g, mult(z_1[ic_2], sk)), exp(g, mult(sk'[ic_2], sk))) at 246 + - Replaced defined condition zz_3[ic_3], sk'[ic_3], enc_2[ic_3] with zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3] in find at 217 +yields + +Game 6 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + pkE_5: G_t <- pkE_3[ic_2]; + dh_5: GG_t <- concatDH(exp(g, mult(z_1[ic_2], sk)), exp(g, mult(sk'[ic_2], sk))); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some({321}zz_5)) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying replace term at occurrence 321 with zz_3[ic_2] +yields + +Game 7 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + pkE_5: G_t <- pkE_3[ic_2]; + dh_5: GG_t <- concatDH(exp(g, mult(z_1[ic_2], sk)), exp(g, mult(sk'[ic_2], sk))); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying remove assignments of useless + - Remove assignments on pkE_5 (definition removed, all usages removed) + - Remove assignments on zz_5 (definition removed, all usages removed) + - Remove assignments on key_2 (definition removed, all usages removed) + - Remove assignments on info_2 (definition removed, all usages removed) + - Remove assignments on dh_5 (definition removed, all usages removed) + - Remove assignments on kemContext_5 (definition removed, all usages removed) + - Remove assignments on pkR_2 (definition removed, all usages removed) +yields + +Game 8 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + {217} find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced defined condition zz_3[ic_3], z_1[ic_3], pkE_3[ic_3], sk'[ic_3], enc_2[ic_3] with zz_3[ic_3], sk'[ic_3], enc_2[ic_3] in find at 217 +yields + +Game 9 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + {123} z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying insert instruction find i1 <= N suchthat + defined(sk[i1]) + && pk_R = exp(g, sk[i1]) then at occurrence 123 +yields + +Game 10 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + else + z_2 <-R Z_t; + pkE_4: G_t <- exp(g, z_2); + dh_4: GG_t <- concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename z_2 + - Rename variable z_2 into z_7, z_6 +yields + +Game 11 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_4: G_t <- exp(g, z_6); + dh_4: GG_t <- {141}concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + else + z_7 <-R Z_t; + pkE_4: G_t <- exp(g, z_7); + dh_4: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced concatDH(exp(pk_R, z_6), exp(pk_R, sk)) with concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))) at 141 +yields + +Game 12 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_4: G_t <- exp(g, z_6); + dh_4: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + else + z_7 <-R Z_t; + pkE_4: G_t <- exp(g, z_7); + dh_4: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_3: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_3)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename enc_3 + - Rename variable enc_3 into enc_10, enc_9 +yields + +Game 13 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_4: G_t <- exp(g, z_6); + dh_4: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_9)) + else + z_7 <-R Z_t; + pkE_4: G_t <- exp(g, z_7); + dh_4: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_4); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename dh_4 + - Rename variable dh_4 into dh_13, dh_12 +yields + +Game 14 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_4: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_9)) + else + z_7 <-R Z_t; + pkE_4: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_4: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_4, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename zz_4 + - Rename variable zz_4 into zz_13, zz_12 +yields + +Game 15 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_4: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_4: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_4); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_4, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename pkE_4 + - Rename variable pkE_4 into pkE_13, pkE_12 +yields + +Game 16 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_4: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_4); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename kemContext_4 + - Rename variable kemContext_4 into kemContext_13, kemContext_12 +yields + +Game 17 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_1, info_1)); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename key_1 + - Rename variable key_1 into key_7, key_6 +yields + +Game 18 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_6, info_1)); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_7, info_1)); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying SA rename info_1 + - Rename variable info_1 into info_7, info_6 +yields + +Game 19 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_7, info_7)); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + {448} return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying insert instruction let eae_input( + salt: extract_salt_t, + concatExtract( + protocol1: label_protocol_t, + suite1: suite_id_t, + label1: label_extract_t, + concatDH(dh1: G_t, dh2: G_t)), + concatExpand( + l: two_byte_t, + protocol2: label_protocol_t, + suite2: suite_id_t, + label2: label_expand_t, + concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in at occurrence 448 +yields + +Game 20 is + Ostart() := + key_extr_4 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_7, info_7)); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- ExtractAndExpand_inner(key_extr_4, eae_input(lbytes_empty, key_2, info_2)); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return(ExtractAndExpand_inner(key_extr_4, x1)) + else + return(ExtractAndExpand_inner(key_extr_4, x1)) + )) + + +Applying equivalence rom(ExtractAndExpand_inner) + - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_4 -> hk +yields + +Game 21 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key, info); {98}find [unique] u_58 = ri_58 <= Qcperuser, u_59 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && (x_O = x_O[ri_58, ri_59]) then r[u_58, u_59] orfind u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && {121}(x_O = x_O_1[ri_56, ri_57]) then r_1[u_56, u_57] orfind u_54 = ri_54 <= Qeperuser, u_55 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && {139}(x_O = x_O_2[ri_54, ri_55]) then r_2[u_54, u_55] orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O = x_O_3[ri_52, ri_53]) then r_3[u_52, u_53] orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O = x_O_4[ri_51]) then r_4[u_51] orfind u_50 = ri_50 <= Qh suchthat defined(x_O_5[ri_50], r_5[ri_50]) && {185}(x_O = x_O_5[ri_50]) then r_5[u_50] else r <-R eae_output_t; r); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_12: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {309}find [unique] u_48 = ri_48 <= Qcperuser, u_49 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && {314}(x_O_2 = x_O[ri_48, ri_49]) then r[u_48, u_49] orfind u_46 = ri_46 <= Qeperuser, u_47 = ri_47 <= N suchthat defined(x_O_1[ri_46, ri_47], r_1[ri_46, ri_47]) && {332}(x_O_2 = x_O_1[ri_46, ri_47]) then r_1[u_46, u_47] orfind u_44 = ri_44 <= Qeperuser, u_45 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O_2 = x_O_2[ri_44, ri_45]) then r_2[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O_2 = x_O_3[ri_42, ri_43]) then r_3[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O_2 = x_O_4[ri_41]) then r_4[u_41] orfind u_40 = ri_40 <= Qh suchthat defined(x_O_5[ri_40], r_5[ri_40]) && {396}(x_O_2 = x_O_5[ri_40]) then r_5[u_40] else r_2 <-R eae_output_t; r_2); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_13: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {499}find [unique] u_38 = ri_38 <= Qcperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && {504}(x_O_1 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qeperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && {540}(x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_1 = x_O_3[ri_32, ri_33]) then r_3[u_32, u_33] orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_1 = x_O_4[ri_31]) then r_4[u_31] orfind u_30 = ri_30 <= Qh suchthat defined(x_O_5[ri_30], r_5[ri_30]) && {586}(x_O_1 = x_O_5[ri_30]) then r_5[u_30] else r_1 <-R eae_output_t; r_1); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {717}find [unique] u_28 = ri_28 <= Qcperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_3 = x_O[ri_28, ri_29]) then r[u_28, u_29] orfind u_26 = ri_26 <= Qeperuser, u_27 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_3 = x_O_1[ri_26, ri_27]) then r_1[u_26, u_27] orfind u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_3 = x_O_2[ri_24, ri_25]) then r_2[u_24, u_25] orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_3 = x_O_3[ri_22, ri_23]) then r_3[u_22, u_23] orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_3 = x_O_4[ri_21]) then r_4[u_21] orfind u_20 = ri_20 <= Qh suchthat defined(x_O_5[ri_20], r_5[ri_20]) && {804}(x_O_3 = x_O_5[ri_20]) then r_5[u_20] else r_3 <-R eae_output_t; r_3); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return((x_O_4: eae_input_t <- x1; {855}find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_18, u_19] orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_16, u_17] orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_14, u_15] orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_12, u_13] orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_11] orfind u_10 = ri_10 <= Qh suchthat defined(x_O_5[ri_10], r_5[ri_10]) && {928}(x_O_4 = x_O_5[ri_10]) then r_5[u_10] else r_4 <-R eae_output_t; r_4)) + else + return((x_O_5: eae_input_t <- x1; {945}find [unique] u_8 = ri_8 <= Qcperuser, u_9 = ri_9 <= N suchthat defined(x_O[ri_8, ri_9], r[ri_8, ri_9]) && {950}(x_O_5 = x_O[ri_8, ri_9]) then r[u_8, u_9] orfind u_6 = ri_6 <= Qeperuser, u_7 = ri_7 <= N suchthat defined(x_O_1[ri_6, ri_7], r_1[ri_6, ri_7]) && {965}(x_O_5 = x_O_1[ri_6, ri_7]) then r_1[u_6, u_7] orfind u_4 = ri_4 <= Qeperuser, u_5 = ri_5 <= N suchthat defined(x_O_2[ri_4, ri_5], r_2[ri_4, ri_5]) && {980}(x_O_5 = x_O_2[ri_4, ri_5]) then r_2[u_4, u_5] orfind u_2 = ri_2 <= Qdperuser, u_3 = ri_3 <= N suchthat defined(x_O_3[ri_2, ri_3], r_3[ri_2, ri_3]) && {995}(x_O_5 = x_O_3[ri_2, ri_3]) then r_3[u_2, u_3] orfind u_1 = ri_1 <= Qh suchthat defined(x_O_4[ri_1], r_4[ri_1]) && {1008}(x_O_5 = x_O_4[ri_1]) then r_4[u_1] orfind u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u] else r_5 <-R eae_output_t; r_5)) + )) + + +Applying simplify (non-expanded game) [probability (4 * #OAEncap^2 + #Ochall^2 + 4 * #Ochall * #OAEncap + N^2) * PCollKey] + - Simplification pass + - Replaced (x_O = x_O_5[ri_50]) with false at 185 + - Remove branch 6 in find at 98 + - Replaced (x_O = x_O_2[ri_54, ri_55]) with false at 139 + - Remove branch 3 in find at 98 + - Replaced (x_O = x_O_1[ri_56, ri_57]) with false at 121 + - Remove branch 2 in find at 98 + - Replaced (x_O_2 = x_O_5[ri_40]) with false at 396 + - Remove branch 6 in find at 309 + - Replaced (x_O_2 = x_O_1[ri_46, ri_47]) with false at 332 + - Remove branch 2 in find at 309 + - Replaced (x_O_2 = x_O[ri_48, ri_49]) with false at 314 + - Remove branch 1 in find at 309 + - Replaced (x_O_1 = x_O_5[ri_30]) with false at 586 + - Remove branch 6 in find at 499 + - Replaced (x_O_1 = x_O_2[ri_34, ri_35]) with false at 540 + - Remove branch 3 in find at 499 + - Replaced (x_O_1 = x_O[ri_38, ri_39]) with false at 504 + - Remove branch 1 in find at 499 + - Replaced (x_O_3 = x_O_5[ri_20]) with false at 804 + - Remove branch 6 in find at 717 + - Replaced (x_O_4 = x_O_5[ri_10]) with false at 928 + - Remove branch 6 in find at 855 + - Replaced (x_O_5 = x_O_4[ri_1]) with false at 1008 + - Remove branch 5 in find at 945 + - Replaced (x_O_5 = x_O_3[ri_2, ri_3]) with false at 995 + - Remove branch 4 in find at 945 + - Replaced (x_O_5 = x_O_2[ri_4, ri_5]) with false at 980 + - Remove branch 3 in find at 945 + - Replaced (x_O_5 = x_O_1[ri_6, ri_7]) with false at 965 + - Remove branch 2 in find at 945 + - Replaced (x_O_5 = x_O[ri_8, ri_9]) with false at 950 + - Remove branch 1 in find at 945 +yields + +Game 22 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key, info); {98}find [unique] u_58 = ri_58 <= Qcperuser, u_59 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && (x_O = x_O[ri_58, ri_59]) then r[u_58, u_59] orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O = x_O_3[ri_52, ri_53]) then r_3[u_52, u_53] orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O = x_O_4[ri_51]) then r_4[u_51] else r <-R eae_output_t; r); + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_12: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {261}find [unique] u_44 = ri_44 <= Qeperuser, u_45 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O_2 = x_O_2[ri_44, ri_45]) then r_2[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O_2 = x_O_3[ri_42, ri_43]) then r_3[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O_2 = x_O_4[ri_41]) then r_4[u_41] else r_2 <-R eae_output_t; r_2); + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_13: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {403}find [unique] u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_1 = x_O_3[ri_32, ri_33]) then r_3[u_32, u_33] orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_1 = x_O_4[ri_31]) then r_4[u_31] else r_1 <-R eae_output_t; r_1); + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + zz_5: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {573}find [unique] u_28 = ri_28 <= Qcperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_3 = x_O[ri_28, ri_29]) then r[u_28, u_29] orfind u_26 = ri_26 <= Qeperuser, u_27 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_3 = x_O_1[ri_26, ri_27]) then r_1[u_26, u_27] orfind u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_3 = x_O_2[ri_24, ri_25]) then r_2[u_24, u_25] orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_3 = x_O_3[ri_22, ri_23]) then r_3[u_22, u_23] orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_3 = x_O_4[ri_21]) then r_4[u_21] else r_3 <-R eae_output_t; r_3); + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return((x_O_4: eae_input_t <- x1; find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_18, u_19] orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_16, u_17] orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_14, u_15] orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_12, u_13] orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_11] else r_4 <-R eae_output_t; r_4)) + else + return((x_O_5: eae_input_t <- x1; find [unique] u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u] else r_5 <-R eae_output_t; r_5)) + )) + + +Applying expand [probability (#Ochall^2 + 2 * #OAEncap^2 + #OAEncap * N + N^2) * PCollKey] + - Expand if/find/let + - Remove branch 2 in find at 573 + - Remove branch 2 in find at 403 + - Remove branch 1 in find at 403 + - Remove branch 1 in find at 261 + - Remove branch 1 in find at 98 +yields + +Game 23 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O: eae_input_t <- eae_input(lbytes_empty, key, info); + find [unique] u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O = x_O_3[ri_52, ri_53]) then + zz_3: eae_output_t <- r_3[u_52, u_53]; + return(AuthEncap_tuple(zz_3, enc_2)) + orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O = x_O_4[ri_51]) then + zz_3: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(zz_3, enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(zz_3, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O_2 = x_O_3[ri_42, ri_43]) then + zz_12: eae_output_t <- r_3[u_42, u_43]; + return(AuthEncap_tuple(zz_12, enc_9)) + orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O_2 = x_O_4[ri_41]) then + zz_12: eae_output_t <- r_4[u_41]; + return(AuthEncap_tuple(zz_12, enc_9)) + else + r_2 <-R eae_output_t; + zz_12: eae_output_t <- r_2; + return(AuthEncap_tuple(zz_12, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + find [unique] u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_1 = x_O_4[ri_31]) then + zz_13: eae_output_t <- r_4[u_31]; + return(AuthEncap_tuple(zz_13, enc_10)) + else + r_1 <-R eae_output_t; + zz_13: eae_output_t <- r_1; + return(AuthEncap_tuple(zz_13, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + find [unique] u_28 = ri_28 <= Qcperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_3 = x_O[ri_28, ri_29]) then + zz_5: eae_output_t <- r[u_28, u_29]; + return(AuthDecap_Some(zz_5)) + orfind u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_3 = x_O_2[ri_24, ri_25]) then + zz_5: eae_output_t <- r_2[u_24, u_25]; + return(AuthDecap_Some(zz_5)) + orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_3 = x_O_3[ri_22, ri_23]) then + zz_5: eae_output_t <- r_3[u_22, u_23]; + return(AuthDecap_Some(zz_5)) + orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_3 = x_O_4[ri_21]) then + zz_5: eae_output_t <- r_4[u_21]; + return(AuthDecap_Some(zz_5)) + else + r_3 <-R eae_output_t; + zz_5: eae_output_t <- r_3; + return(AuthDecap_Some(zz_5)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- x1; + find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- x1; + find [unique] u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_O_5 (definition point kept, all usages removed) + - Remove assignments on x_O_4 (definition point kept, all usages removed) + - Remove assignments on zz_5 (definition removed, all usages removed) + - Remove assignments on zz_5 (definition removed, all usages removed) + - Remove assignments on zz_5 (definition removed, all usages removed) + - Remove assignments on zz_5 (definition removed, all usages removed) + - Remove assignments on zz_5 (definition removed, all usages removed) + - Remove assignments on zz_13 (definition removed, all usages removed) + - Remove assignments on zz_13 (definition removed, all usages removed) + - Remove assignments on zz_12 (definition removed, all usages removed) + - Remove assignments on zz_12 (definition removed, all usages removed) + - Remove assignments on zz_12 (definition removed, all usages removed) + - Remove assignments on zz_3 (definition kept, array references kept) + - Remove assignments on zz_3 (definition kept, array references kept) + - Remove assignments on zz_3 (definition kept, array references kept) +yields + +Game 24 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O: eae_input_t <- eae_input(lbytes_empty, key, info); + {97} find [unique] u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && {102}(x_O = x_O_3[ri_52, ri_53]) then + zz_3: eae_output_t <- r_3[u_52, u_53]; + return(AuthEncap_tuple(r_3[u_52, u_53], enc_2)) + orfind u_51 = ri_51 <= Qh suchthat defined(x1[ri_51], x_O_4[ri_51], r_4[ri_51]) && {135}(x_O = x1[ri_51]) then + zz_3: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(r_4[u_51], enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + {273} find [unique] u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && {278}(x_O_2 = x_O_3[ri_42, ri_43]) then + return(AuthEncap_tuple(r_3[u_42, u_43], enc_9)) + orfind u_41 = ri_41 <= Qh suchthat defined(x1[ri_41], x_O_4[ri_41], r_4[ri_41]) && {302}(x_O_2 = x1[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + {408} find [unique] u_31 = ri_31 <= Qh suchthat defined(x1[ri_31], x_O_4[ri_31], r_4[ri_31]) && {412}(x_O_1 = x1[ri_31]) then + return(AuthEncap_tuple(r_4[u_31], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + {546} find [unique] u_28 = ri_28 <= Qcperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && {551}(x_O_3 = x_O[ri_28, ri_29]) then + return(AuthDecap_Some(r[u_28, u_29])) + orfind u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && {573}(x_O_3 = x_O_2[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_24, u_25])) + orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && {595}(x_O_3 = x_O_3[ri_22, ri_23]) then + return(AuthDecap_Some(r_3[u_22, u_23])) + orfind u_21 = ri_21 <= Qh suchthat defined(x1[ri_21], x_O_4[ri_21], r_4[ri_21]) && {616}(x_O_3 = x1[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- cst_eae_input_t; + {665} find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && {670}(x1 = x_O[ri_18, ri_19]) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && {688}(x1 = x_O_1[ri_16, ri_17]) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && {706}(x1 = x_O_2[ri_14, ri_15]) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && {724}(x1 = x_O_3[ri_12, ri_13]) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(x1[ri_11], x_O_4[ri_11], r_4[ri_11]) && {741}(x1 = x1[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- cst_eae_input_t; + {761} find [unique] u = ri <= Qh suchthat defined(x1[ri], x_O_5[ri], r_5[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced defined condition x1[ri], x_O_5[ri], r_5[ri] with r_5[ri], x1[ri] in find at 761 + - Replaced (x1 = x1[ri_11]) with ((pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11])) at 741 + - Replaced defined condition x1[ri_11], x_O_4[ri_11], r_4[ri_11] with r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11] in find at 665 + - Replaced (x1 = x_O_3[ri_12, ri_13]) with ((pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 724 + - Replaced defined condition x_O_3[ri_12, ri_13], r_3[ri_12, ri_13] with r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13] in find at 665 + - Replaced (x1 = x_O_2[ri_14, ri_15]) with ((pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 706 + - Replaced defined condition x_O_2[ri_14, ri_15], r_2[ri_14, ri_15] with r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15] in find at 665 + - Replaced (x1 = x_O_1[ri_16, ri_17]) with ((pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 688 + - Replaced defined condition x_O_1[ri_16, ri_17], r_1[ri_16, ri_17] with r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17] in find at 665 + - Replaced (x1 = x_O[ri_18, ri_19]) with ((pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 670 + - Replaced defined condition x_O[ri_18, ri_19], r[ri_18, ri_19] with r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19] in find at 665 + - Replaced (x_O_3 = x1[ri_21]) with ((pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21])) at 616 + - Replaced defined condition x1[ri_21], x_O_4[ri_21], r_4[ri_21] with r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21] in find at 546 + - Replaced (x_O_3 = x_O_3[ri_22, ri_23]) with ((pk_S = pk_S[ri_22, ri_23]) && (i = ri_23) && (pkE_5 = pkE_5[ri_22, ri_23])) at 595 + - In branch 3 of find at 546, substituting u_23 with i + - Replaced defined condition x_O_3[ri_22, ri_23], r_3[ri_22, ri_23] with r_3[ri_22], pkE_5[ri_22], pk_S[ri_22] in find at 546 + - Replaced (x_O_3 = x_O_2[ri_24, ri_25]) with ((pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25])) at 573 + - Replaced defined condition x_O_2[ri_24, ri_25], r_2[ri_24, ri_25] with r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25] in find at 546 + - Replaced (x_O_3 = x_O[ri_28, ri_29]) with ((pk_S = pkS[ri_28, ri_29]) && (i = ri_29) && (pkE_5 = pkE_3[ri_28, ri_29])) at 551 + - Remove branch 1 in find at 546 + - Replaced (x_O_1 = x1[ri_31]) with ((pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31])) at 412 + - Replaced defined condition x1[ri_31], x_O_4[ri_31], r_4[ri_31] with r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31] in find at 408 + - Replaced (x_O_2 = x1[ri_41]) with ((pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41])) at 302 + - Replaced defined condition x1[ri_41], x_O_4[ri_41], r_4[ri_41] with r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41] in find at 273 + - Replaced (x_O_2 = x_O_3[ri_42, ri_43]) with ((pkS_1 = pk_S[ri_42, ri_43]) && (i1_2 = ri_43) && (pkE_12 = pkE_5[ri_42, ri_43])) at 278 + - In branch 1 of find at 273, substituting u_43 with i1_2 + - Replaced defined condition x_O_3[ri_42, ri_43], r_3[ri_42, ri_43] with r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2] in find at 273 + - Replaced (x_O = x1[ri_51]) with ((pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51])) at 135 + - Replaced defined condition x1[ri_51], x_O_4[ri_51], r_4[ri_51] with r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51] in find at 97 + - Replaced (x_O = x_O_3[ri_52, ri_53]) with ((pkS = pk_S[ri_52, ri_53]) && (i = ri_53) && (pkE_3 = pkE_5[ri_52, ri_53])) at 102 + - In branch 1 of find at 97, substituting u_53 with i + - Replaced defined condition x_O_3[ri_52, ri_53], r_3[ri_52, ri_53] with r_3[ri_52], pkE_5[ri_52], pk_S[ri_52] in find at 97 +yields + +Game 25 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O: eae_input_t <- eae_input(lbytes_empty, key, info); + {97} find [unique] u_52 = ri_52 <= Qdperuser suchthat defined(r_3[ri_52], pkE_5[ri_52], pk_S[ri_52]) && {104}((pkS = pk_S[ri_52]) && (i = i) && (pkE_3 = pkE_5[ri_52])) then + u_53 <= N <- i; + zz_3: eae_output_t <- r_3[u_52]; + return(AuthEncap_tuple(r_3[u_52], enc_2)) + orfind u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_3: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(r_4[u_51], enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && {389}((pkS_1 = pk_S[ri_42, i1_2]) && (i1_2 = i1_2) && (pkE_12 = pkE_5[ri_42, i1_2])) then + u_43 <= N <- i1_2; + return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) + orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + return(AuthEncap_tuple(r_4[u_31], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_24, u_25])) + orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && {909}((pk_S = pk_S[ri_22]) && (i = i) && (pkE_5 = pkE_5[ri_22])) then + u_23 <= N <- i; + return(AuthDecap_Some(r_3[u_22])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- cst_eae_input_t; + find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- cst_eae_input_t; + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying simplify [probability #OADecap * Qcperuser * PCollKey] + - Simplification pass + - Replaced ((pk_S = pk_S[ri_22]) && (i = i) && (pkE_5 = pkE_5[ri_22])) with ((pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22])) at 909 + - Replaced ((pkS_1 = pk_S[ri_42, i1_2]) && (i1_2 = i1_2) && (pkE_12 = pkE_5[ri_42, i1_2])) with ((pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2])) at 389 + - Replaced ((pkS = pk_S[ri_52]) && (i = i) && (pkE_3 = pkE_5[ri_52])) with false at 104 + - Remove branch 1 in find at 97 +yields + +Game 26 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O: eae_input_t <- eae_input(lbytes_empty, key, info); + find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_3: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(r_4[u_51], enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_12, pk_R, pkS_1); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && (pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2]) then + u_43 <= N <- i1_2; + return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) + orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_13, pk_R, pkS_1); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + return(AuthEncap_tuple(r_4[u_31], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + kemContext_5: GGG_t <- concatContext(pkE_5, pkR_2, pk_S); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_5); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_5); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_24, u_25])) + orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then + u_23 <= N <- i; + return(AuthDecap_Some(r_3[u_22])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- cst_eae_input_t; + find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- cst_eae_input_t; + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying move all binders + - Move assignment to x_O_5 + - Move assignment to x_O_4 + - Move assignment to x_O_3 + - Move assignment to info_2 + - Move assignment to key_2 + - Move assignment to kemContext_5 + - Move assignment to x_O_1 + - Move assignment to info_7 + - Move assignment to key_7 + - Move assignment to kemContext_13 + - Move assignment to x_O_2 + - Move assignment to info_6 + - Move assignment to key_6 + - Move assignment to kemContext_12 + - Move assignment to x_O + - Move assignment to info + - Move assignment to key + - Move assignment to kemContext_3 +yields + +Game 27 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + dh_3: GG_t <- concatDH(exp(g, mult(sk, z_1)), exp(g, mult(sk, sk'))); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_3: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(r_4[u_51], enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + dh_12: GG_t <- concatDH(exp(g, mult(sk[i1_2], z_6)), exp(g, mult(sk[i1_2], sk))); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && (pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2]) then + u_43 <= N <- i1_2; + return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) + orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + dh_13: GG_t <- concatDH(exp(pk_R, z_7), exp(pk_R, sk)); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + return(AuthEncap_tuple(r_4[u_31], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + dh_5: GG_t <- concatDH(exp(pkE_5, sk), exp(pk_S, sk)); + pkR_2: G_t <- exp(g, sk); + find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_24, u_25])) + orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then + u_23 <= N <- i; + return(AuthDecap_Some(r_3[u_22])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying remove assignments of findcond + - Remove assignments on dh_5 (definition removed, all usages removed) + - Remove assignments on u_23 (definition removed, all usages removed) + - Remove assignments on dh_13 (definition removed, all usages removed) + - Remove assignments on dh_12 (definition removed, all usages removed) + - Remove assignments on u_43 (definition removed, all usages removed) + - Remove assignments on dh_3 (definition removed, all usages removed) +yields + +Game 28 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk, sk')) = dh2[ri_51]) && (exp(g, mult(sk, z_1)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_3: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(r_4[u_51], enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && (pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2]) then + return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) + orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(g, mult(sk[i1_2], sk)) = dh2[ri_41]) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(pk_R, sk) = dh2[ri_31]) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + return(AuthEncap_tuple(r_4[u_31], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + pkR_2: G_t <- exp(g, sk); + find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_24, u_25])) + orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then + return(AuthDecap_Some(r_3[u_22])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_5, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_1[ri_18, ri_19], sk'[ri_18, ri_19], sk[ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[ri_19], sk'[ri_18, ri_19]))) && (dh1 = exp(g, mult(sk[ri_19], z_1[ri_18, ri_19]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying equivalence gdh(exp) with variables: sk -> a, z_1 -> b. [probability Adv_GDH(time_1, 5 * Qh) + (#Ochall + N) * PDistRerandom + (#Ochall^2 + 2 * #OAEncap^2 + N^2) * PCollKey] + - Equivalence gdh(exp) with variables: sk -> a, z_1 -> b. +yields + +Game 29 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + {41} find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pkR_1 = pkR'[ri_51]) && (pkE_3 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && ((x: Z_t <- sk'; exp(g, mult(sk, x))) = dh2[ri_51]) && (m_3: G_t <- dh1[ri_51]; false) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_3: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(r_4[u_51], enc_2)) + else + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (m_5: G_t <- pk_R; (m_5 = exp(g, sk[i1_3]))) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && (pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2]) then + return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) + orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m_10: G_t <- dh2[ri_41]; (m_10 = exp(g, mult(sk[i1_2], sk)))) && ((x_1: Z_t <- z_6; exp(g, mult(sk[i1_2], x_1))) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (m_4: G_t <- dh2[ri_31]; m'_1: G_t <- pk_R; (m_4 = exp(m'_1, sk))) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + return(AuthEncap_tuple(r_4[u_31], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + pkR_2: G_t <- exp(g, sk); + find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_24, u_25])) + orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then + return(AuthDecap_Some(r_3[u_22])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_12: G_t <- dh2[ri_21]; m'_3: G_t <- pk_S; (m_12 = exp(m'_3, sk))) && (m_11: G_t <- dh1[ri_21]; m'_2: G_t <- pkE_5; (m_11 = exp(m'_2, sk))) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + {812} find [unique] u_18 = ri_18 <= Qcperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], sk[ri_19], sk'[ri_18, ri_19], pkE_3[ri_18, ri_19], pkR_1[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pkR_1[ri_18, ri_19]) && (pkE' = pkE_3[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = (x_2: Z_t <- sk'[ri_18, ri_19]; exp(g, mult(sk[ri_19], x_2)))) && (m_14: G_t <- dh1; false) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_15: G_t <- dh2; m'_4: G_t <- pk_R[ri_16, ri_17]; (m_15 = exp(m'_4, sk[ri_17]))) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_20: G_t <- dh2; (m_20 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15])))) && (dh1 = (x_3: Z_t <- z_6[ri_14, ri_15]; exp(g, mult(sk[i1_2[ri_14, ri_15]], x_3)))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_22: G_t <- dh2; m'_6: G_t <- pk_S[ri_12, ri_13]; (m_22 = exp(m'_6, sk[ri_13]))) && (m_21: G_t <- dh1; m'_5: G_t <- pkE_5[ri_12, ri_13]; (m_21 = exp(m'_5, sk[ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying expand + - Expand if/find/let + - Remove branch 1 in find at 812 + - Remove branch 1 in find at 41 + - Find at 41 removed (else branch kept if any) +yields + +Game 30 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + pkR_1: G_t <- exp(g, sk); + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + enc_2: bitstring <- Serialize(pkE_3); + pkS: G_t <- exp(g, sk'); + r <-R eae_output_t; + zz_3: eae_output_t <- r; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (m_5: G_t <- pk_R; (m_5 = exp(g, sk[i1_3]))) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && (pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2]) then + return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) + orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (m_10: G_t <- dh2[ri_41]; x_1: Z_t <- z_6; ((pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m_10 = exp(g, mult(sk[i1_2], sk))) && (exp(g, mult(sk[i1_2], x_1)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]))) then + return(AuthEncap_tuple(r_4[u_41], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (m_4: G_t <- dh2[ri_31]; m'_1: G_t <- pk_R; ((pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (m_4 = exp(m'_1, sk)) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]))) then + return(AuthEncap_tuple(r_4[u_31], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(zz_3[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(zz_3[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + pkR_2: G_t <- exp(g, sk); + find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_24, u_25])) + orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then + return(AuthDecap_Some(r_3[u_22])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (m_12: G_t <- dh2[ri_21]; m'_3: G_t <- pk_S; m_11: G_t <- dh1[ri_21]; m'_2: G_t <- pkE_5; ((pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_12 = exp(m'_3, sk)) && (m_11 = exp(m'_2, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]))) then + return(AuthDecap_Some(r_4[u_21])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (m_15: G_t <- dh2; m'_4: G_t <- pk_R[ri_16, ri_17]; ((pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_15 = exp(m'_4, sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (m_20: G_t <- dh2; x_3: Z_t <- z_6[ri_14, ri_15]; ((pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_20 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], x_3))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (m_22: G_t <- dh2; m'_6: G_t <- pk_S[ri_12, ri_13]; m_21: G_t <- dh1; m'_5: G_t <- pkE_5[ri_12, ri_13]; ((pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_22 = exp(m'_6, sk[ri_13])) && (m_21 = exp(m'_5, sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying remove assignments of findcond + - Remove assignments on m_15 (definition removed, all usages removed) + - Remove assignments on m'_4 (definition removed, all usages removed) + - Remove assignments on m_20 (definition removed, all usages removed) + - Remove assignments on x_3 (definition removed, all usages removed) + - Remove assignments on m_22 (definition removed, all usages removed) + - Remove assignments on m'_6 (definition removed, all usages removed) + - Remove assignments on m_21 (definition removed, all usages removed) + - Remove assignments on m'_5 (definition removed, all usages removed) + - Remove assignments on m_12 (definition removed, all usages removed) + - Remove assignments on m'_3 (definition removed, all usages removed) + - Remove assignments on m_11 (definition removed, all usages removed) + - Remove assignments on m'_2 (definition removed, all usages removed) + - Remove assignments on m_4 (definition removed, all usages removed) + - Remove assignments on m'_1 (definition removed, all usages removed) + - Remove assignments on m_10 (definition removed, all usages removed) + - Remove assignments on x_1 (definition removed, all usages removed) + - Remove assignments on m_5 (definition removed, all usages removed) + - Remove assignments on pkR_1 (definition removed, all usages removed) + - Remove assignments on pkS (definition removed, all usages removed) + - Remove assignments on zz_3 (definition removed, all usages removed) +yields + +Game 31 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ic <= Qcperuser do + Ochall(sk': Z_t) := + z_1 <-R Z_t; + pkE_3: G_t <- exp(g, z_1); + enc_2: bitstring <- Serialize(pkE_3); + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_2)) + ) | ( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_2 = i1_3 <= N suchthat defined(sk[i1_3]) && (pk_R = exp(g, sk[i1_3])) then + z_6 <-R Z_t; + pkE_12: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_12); + pkS_1: G_t <- exp(g, sk); + find [unique] u_42 = ri_42 <= Qdperuser suchthat defined(r_3[ri_42, i1_2], pkE_5[ri_42, i1_2], pk_S[ri_42, i1_2]) && (pkS_1 = pk_S[ri_42, i1_2]) && (pkE_12 = pkE_5[ri_42, i1_2]) then + return(AuthEncap_tuple(r_3[u_42, i1_2], enc_9)) + orfind u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS_1 = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_12 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (dh2[ri_41] = exp(g, mult(sk[i1_2], sk))) && (exp(g, mult(sk[i1_2], z_6)) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_9)) + else + r_2 <-R eae_output_t; + return(AuthEncap_tuple(r_2, enc_9)) + else + z_7 <-R Z_t; + pkE_13: G_t <- exp(g, z_7); + enc_10: bitstring <- Serialize(pkE_13); + pkS_1: G_t <- exp(g, sk); + find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pkS_1 = pkS'[ri_31]) && (pk_R = pkR'[ri_31]) && (pkE_13 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (dh2[ri_31] = exp(pk_R, sk)) && (exp(pk_R, z_7) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + return(AuthEncap_tuple(r_4[u_31], enc_10)) + else + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_10)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, cd: bitstring) := + find ic_2 = ic_3 <= Qcperuser suchthat defined(r[ic_3], sk'[ic_3], enc_2[ic_3]) && (enc_2[ic_3] = cd) && (exp(g, sk'[ic_3]) = pk_S) then + return(AuthDecap_Some(r[ic_2])) + else + let Serialize(pkE_5: G_t) = cd in + pkR_2: G_t <- exp(g, sk); + find [unique] u_24 = ri_24 <= Qeperuser, u_25 = ri_25 <= N suchthat defined(r_2[ri_24, ri_25], pkE_12[ri_24, ri_25], i1_2[ri_24, ri_25], pkS_1[ri_24, ri_25]) && (pk_S = pkS_1[ri_24, ri_25]) && (i = i1_2[ri_24, ri_25]) && (pkE_5 = pkE_12[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_24, u_25])) + orfind u_22 = ri_22 <= Qdperuser suchthat defined(r_3[ri_22], pkE_5[ri_22], pk_S[ri_22]) && (pk_S = pk_S[ri_22]) && (pkE_5 = pkE_5[ri_22]) then + return(AuthDecap_Some(r_3[u_22])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_2 = pkR'[ri_21]) && (pkE_5 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (dh2[ri_21] = exp(pk_S, sk)) && (dh1[ri_21] = exp(pkE_5, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_7[ri_16, ri_17], sk[ri_17], pkE_13[ri_16, ri_17], pk_R[ri_16, ri_17], pkS_1[ri_16, ri_17]) && (pkS' = pkS_1[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_13[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_16, ri_17], sk[ri_17])) && (dh1 = exp(pk_R[ri_16, ri_17], z_7[ri_16, ri_17])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], sk[i1_2[ri_14, ri_15]], pkE_12[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_1[ri_14, ri_15]) && (pkS' = pkS_1[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_12[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_2[ri_14, ri_15]], sk[ri_15]))) && (dh1 = exp(g, mult(sk[i1_2[ri_14, ri_15]], z_6[ri_14, ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_5[ri_12, ri_13], pkR_2[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_2[ri_12, ri_13]) && (pkE' = pkE_5[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_12, ri_13], sk[ri_13])) && (dh1 = exp(pkE_5[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + +Initial state +Game 32 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + {19} let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (pkR_4: G_t <- exp(g, sk_1); {25}let (skE_6: Z_t, pkE_9: G_t) = (z_4 <-R Z_t; (z_4, exp(g, z_4))) in dh_9: GG_t <- concatDH(exp(pkR_4, skE_6), exp(pkR_4, sk'_1)); enc_7: bitstring <- Serialize(pkE_9); pkS_3: G_t <- exp(g, sk'_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pkS_3); zz_9: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3))); AuthEncap_tuple(zz_9, enc_7) else AuthEncap_None) in + k' <-R eae_output_t; + return(AuthEncap_tuple(k', ce)) + else + return(AuthEncap_None) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + return({132}(let (skE_7: Z_t, pkE_10: G_t) = (z_5 <-R Z_t; (z_5, exp(g, z_5))) in dh_10: GG_t <- concatDH(exp(pk_R_1, skE_7), exp(pk_R_1, sk_1)); enc_8: bitstring <- Serialize(pkE_10); pkS_4: G_t <- exp(g, sk_1); kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); zz_10: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4))); AuthEncap_tuple(zz_10, enc_8) else AuthEncap_None)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(ce[ic1, i1], k'[ic1, i1], sk'_1[ic1, i1], sk_1[i1]) && (ce[ic1, i1] = cd_1) && ((exponent_15: Z_t <- sk'_1[ic1, i1]; exp(g, exponent_15)) = pk_S_1) && ((exponent_16: Z_t <- sk_1[i1]; exp(g, exponent_16)) = exp(g, sk_1)) then + return(AuthDecap_Some(k'[ic1_1, i1_1])) + else + return((skR_1: Z_t <- sk_1; let Serialize(pkE_11: G_t) = cd_1 in dh_11: GG_t <- concatDH(exp(pkE_11, skR_1), exp(pk_S_1, skR_1)); pkR_5: G_t <- exp(g, skR_1); kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); zz_11: eae_output_t <- (key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5))); AuthDecap_Some(zz_11) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying expand [probability N^2 * PCollKey] + - Expand if/find/let + - Simplify pattern (skE_7: Z_t, pkE_10: G_t) (tuple expanded) at 132 + - Remove else branch of let at 132 + - Simplify pattern (skE_6: Z_t, pkE_9: G_t) (tuple expanded) at 25 + - Remove else branch of let at 25 + - Simplify pattern AuthEncap_tuple(k: eae_output_t, ce: bitstring) (tuple expanded) at 19 + - Remove else branch of let at 19 +yields + +Game 33 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + pkR_4: G_t <- exp(g, sk_1); + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + skE_6: Z_t <- z_4; + dh_9: GG_t <- concatDH(exp(pkR_4, skE_6), exp(pkR_4, sk'_1)); + enc_7: bitstring <- Serialize(pkE_9); + pkS_3: G_t <- exp(g, sk'_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pkS_3); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + ce: bitstring <- enc_7; + k: eae_output_t <- zz_9; + k' <-R eae_output_t; + return(AuthEncap_tuple(k', ce)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + skE_7: Z_t <- z_5; + dh_10: GG_t <- concatDH(exp(pk_R_1, skE_7), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(ce[ic1, i1], k'[ic1, i1], sk'_1[ic1, i1], sk_1[i1]) && (exponent_15: Z_t <- sk'_1[ic1, i1]; exponent_16: Z_t <- sk_1[i1]; ((ce[ic1, i1] = cd_1) && (exp(g, exponent_15) = pk_S_1) && (exp(g, exponent_16) = exp(g, sk_1)))) then + return(AuthDecap_Some(k'[ic1_1, i1_1])) + else + skR_1: Z_t <- sk_1; + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, skR_1), exp(pk_S_1, skR_1)); + pkR_5: G_t <- exp(g, skR_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR_1 (definition removed, all usages removed) + - Remove assignments on exponent_15 (definition removed, all usages removed) + - Remove assignments on exponent_16 (definition removed, all usages removed) + - Remove assignments on skE_7 (definition removed, all usages removed) + - Remove assignments on skE_6 (definition removed, all usages removed) + - Remove assignments on ce (definition removed, all usages removed) + - Remove assignments on k (definition removed, all usages removed) + - Remove assignments on zz_9 (definition removed, all usages removed) + - Remove assignments on key_3 (definition removed, all usages removed) + - Remove assignments on info_3 (definition removed, all usages removed) + - Remove assignments on dh_9 (definition removed, all usages removed) + - Remove assignments on kemContext_9 (definition removed, all usages removed) + - Remove assignments on pkR_4 (definition removed, all usages removed) + - Remove assignments on pkS_3 (definition removed, all usages removed) +yields + +Game 34 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + {142} find ic1_1 = ic1 <= Qcperuser, i1_1 = i1 <= N suchthat defined(enc_7[ic1, i1], k'[ic1, i1], sk'_1[ic1, i1], sk_1[i1]) && {150}((enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1))) then + return(AuthDecap_Some(k'[ic1_1, i1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced ((enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (exp(g, sk_1[i1]) = exp(g, sk_1))) with ((enc_7[ic1, i1] = cd_1) && (exp(g, sk'_1[ic1, i1]) = pk_S_1) && (i1 = i_1)) at 150 + - In branch 1 of find at 142, substituting i1_1 with i_1 + - Replaced defined condition enc_7[ic1, i1], k'[ic1, i1], sk'_1[ic1, i1], sk_1[i1] with k'[ic1], sk'_1[ic1], enc_7[ic1] in find at 142 +yields + +Game 35 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && {149}((enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) && (i_1 = i_1)) then + i1_1 <= N <- i_1; + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify + - Simplification pass + - Replaced ((enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) && (i_1 = i_1)) with ((enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1)) at 149 +yields + +Game 36 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + i1_1 <= N <- i_1; + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on i1_1 (definition removed, all usages removed) +yields + +Game 37 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + {48} z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying insert instruction find i2 <= N suchthat + defined(sk_1[i2]) + && pk_R_1 = exp(g, sk_1[i2]) then at occurrence 48 +yields + +Game 38 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + {367} return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying insert instruction let eae_input( + salt: extract_salt_t, + concatExtract( + protocol1: label_protocol_t, + suite1: suite_id_t, + label1: label_extract_t, + concatDH(dh1: G_t, dh2: G_t)), + concatExpand(l: two_byte_t, + protocol2: label_protocol_t, + suite2: suite_id_t, + label2: label_expand_t, + concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in at occurrence 367 +yields + +Game 39 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + else + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying equivalence rom(ExtractAndExpand_inner) + - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_10 -> hk +yields + +Game 40 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {128}find [unique] u_98 = ri_98 <= Qeperuser, u_99 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && (x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_98, u_99] orfind u_96 = ri_96 <= Qeperuser, u_97 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_96, u_97] orfind u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_94, u_95] orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_93] orfind u_92 = ri_92 <= Qh suchthat defined(x_O_10[ri_92], r_10[ri_92]) && {197}(x_O_7 = x_O_10[ri_92]) then r_10[u_92] else r_7 <-R eae_output_t; r_7); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {300}find [unique] u_90 = ri_90 <= Qeperuser, u_91 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_90, u_91] orfind u_88 = ri_88 <= Qeperuser, u_89 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && (x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_88, u_89] orfind u_86 = ri_86 <= Qdperuser, u_87 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_86, u_87] orfind u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_85] orfind u_84 = ri_84 <= Qh suchthat defined(x_O_10[ri_84], r_10[ri_84]) && {369}(x_O_6 = x_O_10[ri_84]) then r_10[u_84] else r_6 <-R eae_output_t; r_6); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {500}find [unique] u_82 = ri_82 <= Qeperuser, u_83 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_82, u_83] orfind u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_80, u_81] orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_78, u_79] orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_77] orfind u_76 = ri_76 <= Qh suchthat defined(x_O_10[ri_76], r_10[ri_76]) && {569}(x_O_8 = x_O_10[ri_76]) then r_10[u_76] else r_8 <-R eae_output_t; r_8); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return((x_O_9: eae_input_t <- x1_1; {620}find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_74, u_75] orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_72, u_73] orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_70, u_71] orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_69] orfind u_68 = ri_68 <= Qh suchthat defined(x_O_10[ri_68], r_10[ri_68]) && {678}(x_O_9 = x_O_10[ri_68]) then r_10[u_68] else r_9 <-R eae_output_t; r_9)) + else + return((x_O_10: eae_input_t <- x1_1; {695}find [unique] u_66 = ri_66 <= Qeperuser, u_67 = ri_67 <= N suchthat defined(x_O_6[ri_66, ri_67], r_6[ri_66, ri_67]) && {700}(x_O_10 = x_O_6[ri_66, ri_67]) then r_6[u_66, u_67] orfind u_64 = ri_64 <= Qeperuser, u_65 = ri_65 <= N suchthat defined(x_O_7[ri_64, ri_65], r_7[ri_64, ri_65]) && {715}(x_O_10 = x_O_7[ri_64, ri_65]) then r_7[u_64, u_65] orfind u_62 = ri_62 <= Qdperuser, u_63 = ri_63 <= N suchthat defined(x_O_8[ri_62, ri_63], r_8[ri_62, ri_63]) && {730}(x_O_10 = x_O_8[ri_62, ri_63]) then r_8[u_62, u_63] orfind u_61 = ri_61 <= Qh suchthat defined(x_O_9[ri_61], r_9[ri_61]) && {743}(x_O_10 = x_O_9[ri_61]) then r_9[u_61] orfind u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_60] else r_10 <-R eae_output_t; r_10)) + )) + + +Applying simplify (non-expanded game) [probability (#OAEncap^2 + N^2) * PCollKey] + - Simplification pass + - Replaced (x_O_7 = x_O_10[ri_92]) with false at 197 + - Remove branch 5 in find at 128 + - Replaced (x_O_6 = x_O_10[ri_84]) with false at 369 + - Remove branch 5 in find at 300 + - Replaced (x_O_8 = x_O_10[ri_76]) with false at 569 + - Remove branch 5 in find at 500 + - Replaced (x_O_9 = x_O_10[ri_68]) with false at 678 + - Remove branch 5 in find at 620 + - Replaced (x_O_10 = x_O_9[ri_61]) with false at 743 + - Remove branch 4 in find at 695 + - Replaced (x_O_10 = x_O_8[ri_62, ri_63]) with false at 730 + - Remove branch 3 in find at 695 + - Replaced (x_O_10 = x_O_7[ri_64, ri_65]) with false at 715 + - Remove branch 2 in find at 695 + - Replaced (x_O_10 = x_O_6[ri_66, ri_67]) with false at 700 + - Remove branch 1 in find at 695 +yields + +Game 41 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {128}find [unique] u_98 = ri_98 <= Qeperuser, u_99 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && (x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_98, u_99] orfind u_96 = ri_96 <= Qeperuser, u_97 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_96, u_97] orfind u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_94, u_95] orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_93] else r_7 <-R eae_output_t; r_7); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {288}find [unique] u_90 = ri_90 <= Qeperuser, u_91 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_90, u_91] orfind u_88 = ri_88 <= Qeperuser, u_89 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && (x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_88, u_89] orfind u_86 = ri_86 <= Qdperuser, u_87 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_86, u_87] orfind u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_85] else r_6 <-R eae_output_t; r_6); + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {476}find [unique] u_82 = ri_82 <= Qeperuser, u_83 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_82, u_83] orfind u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_80, u_81] orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_78, u_79] orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_77] else r_8 <-R eae_output_t; r_8); + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return((x_O_9: eae_input_t <- x1_1; find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_74, u_75] orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_72, u_73] orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_70, u_71] orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_69] else r_9 <-R eae_output_t; r_9)) + else + return((x_O_10: eae_input_t <- x1_1; find [unique] u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_60] else r_10 <-R eae_output_t; r_10)) + )) + + +Applying expand [probability (#OAEncap^2 + #OAEncap * N + N^2) * PCollKey] + - Expand if/find/let + - Remove branch 1 in find at 476 + - Remove branch 3 in find at 288 + - Remove branch 2 in find at 288 + - Remove branch 1 in find at 288 + - Remove branch 2 in find at 128 + - Remove branch 1 in find at 128 +yields + +Game 42 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then + zz_10: eae_output_t <- r_8[u_94, u_95]; + return(AuthEncap_tuple(zz_10, enc_8)) + orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then + zz_10: eae_output_t <- r_9[u_93]; + return(AuthEncap_tuple(zz_10, enc_8)) + else + r_7 <-R eae_output_t; + zz_10: eae_output_t <- r_7; + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then + zz_10: eae_output_t <- r_9[u_85]; + return(AuthEncap_tuple(zz_10, enc_8)) + else + r_6 <-R eae_output_t; + zz_10: eae_output_t <- r_6; + return(AuthEncap_tuple(zz_10, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then + zz_11: eae_output_t <- r_7[u_80, u_81]; + return(AuthDecap_Some(zz_11)) + orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then + zz_11: eae_output_t <- r_8[u_78, u_79]; + return(AuthDecap_Some(zz_11)) + orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then + zz_11: eae_output_t <- r_9[u_77]; + return(AuthDecap_Some(zz_11)) + else + r_8 <-R eae_output_t; + zz_11: eae_output_t <- r_8; + return(AuthDecap_Some(zz_11)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- x1_1; + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- x1_1; + find [unique] u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_O_10 (definition point kept, all usages removed) + - Remove assignments on x_O_9 (definition point kept, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition removed, all usages removed) +yields + +Game 43 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- {65}concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + {127} find [unique] u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && {132}(x_O_7 = x_O_8[ri_94, ri_95]) then + return(AuthEncap_tuple(r_8[u_94, u_95], enc_8)) + orfind u_93 = ri_93 <= Qh suchthat defined(x1_1[ri_93], x_O_9[ri_93], r_9[ri_93]) && {156}(x_O_7 = x1_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_93], enc_8)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + {262} find [unique] u_85 = ri_85 <= Qh suchthat defined(x1_1[ri_85], x_O_9[ri_85], r_9[ri_85]) && {266}(x_O_6 = x1_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_8)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + {400} find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && {405}(x_O_8 = x_O_7[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_80, u_81])) + orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && {427}(x_O_8 = x_O_8[ri_78, ri_79]) then + return(AuthDecap_Some(r_8[u_78, u_79])) + orfind u_77 = ri_77 <= Qh suchthat defined(x1_1[ri_77], x_O_9[ri_77], r_9[ri_77]) && {448}(x_O_8 = x1_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- cst_eae_input_t; + {497} find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && {502}(x1_1 = x_O_6[ri_74, ri_75]) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && {520}(x1_1 = x_O_7[ri_72, ri_73]) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && {538}(x1_1 = x_O_8[ri_70, ri_71]) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(x1_1[ri_69], x_O_9[ri_69], r_9[ri_69]) && {555}(x1_1 = x1_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- cst_eae_input_t; + {575} find [unique] u_60 = ri_60 <= Qh suchthat defined(x1_1[ri_60], x_O_10[ri_60], r_10[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced defined condition x1_1[ri_60], x_O_10[ri_60], r_10[ri_60] with r_10[ri_60], x1_1[ri_60] in find at 575 + - Replaced (x1_1 = x1_1[ri_69]) with ((pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69])) at 555 + - Replaced defined condition x1_1[ri_69], x_O_9[ri_69], r_9[ri_69] with r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69] in find at 497 + - Replaced (x1_1 = x_O_8[ri_70, ri_71]) with ((pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 538 + - Replaced defined condition x_O_8[ri_70, ri_71], r_8[ri_70, ri_71] with r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71] in find at 497 + - Replaced (x1_1 = x_O_7[ri_72, ri_73]) with ((pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 520 + - Replaced defined condition x_O_7[ri_72, ri_73], r_7[ri_72, ri_73] with r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73] in find at 497 + - Replaced (x1_1 = x_O_6[ri_74, ri_75]) with ((pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 502 + - Replaced defined condition x_O_6[ri_74, ri_75], r_6[ri_74, ri_75] with r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75] in find at 497 + - Replaced (x_O_8 = x1_1[ri_77]) with ((pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77])) at 448 + - Replaced defined condition x1_1[ri_77], x_O_9[ri_77], r_9[ri_77] with r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77] in find at 400 + - Replaced (x_O_8 = x_O_8[ri_78, ri_79]) with ((pk_S_1 = pk_S_1[ri_78, ri_79]) && (i_1 = ri_79) && (pkE_11 = pkE_11[ri_78, ri_79])) at 427 + - In branch 2 of find at 400, substituting u_79 with i_1 + - Replaced defined condition x_O_8[ri_78, ri_79], r_8[ri_78, ri_79] with r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78] in find at 400 + - Replaced (x_O_8 = x_O_7[ri_80, ri_81]) with ((pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81])) at 405 + - Replaced defined condition x_O_7[ri_80, ri_81], r_7[ri_80, ri_81] with r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81] in find at 400 + - Replaced (x_O_6 = x1_1[ri_85]) with ((pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85])) at 266 + - Replaced defined condition x1_1[ri_85], x_O_9[ri_85], r_9[ri_85] with r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85] in find at 262 + - Replaced concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)) with concatDH(exp(g, mult(sk_1[i2_901], z_5)), exp(g, mult(sk_1[i2_901], sk_1))) at 65 + - Replaced (x_O_7 = x1_1[ri_93]) with ((pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93])) at 156 + - Replaced defined condition x1_1[ri_93], x_O_9[ri_93], r_9[ri_93] with r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93] in find at 127 + - Replaced (x_O_7 = x_O_8[ri_94, ri_95]) with ((pkS_4 = pk_S_1[ri_94, ri_95]) && (i2_901 = ri_95) && (pkE_10 = pkE_11[ri_94, ri_95])) at 132 + - In branch 1 of find at 127, substituting u_95 with i2_901 + - Replaced defined condition x_O_8[ri_94, ri_95], r_8[ri_94, ri_95] with r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901] in find at 127 +yields + +Game 44 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk_1[i2_901], z_5)), exp(g, mult(sk_1[i2_901], sk_1))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && {146}((pkS_4 = pk_S_1[ri_94, i2_901]) && (i2_901 = i2_901) && (pkE_10 = pkE_11[ri_94, i2_901])) then + u_95 <= N <- i2_901; + return(AuthEncap_tuple(r_8[u_94, i2_901], enc_8)) + orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_93], enc_8)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_8)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_80, u_81])) + orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && {666}((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_11 = pkE_11[ri_78])) then + u_79 <= N <- i_1; + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- cst_eae_input_t; + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- cst_eae_input_t; + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying simplify + - Simplification pass + - Replaced ((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_11 = pkE_11[ri_78])) with ((pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78])) at 666 + - Replaced ((pkS_4 = pk_S_1[ri_94, i2_901]) && (i2_901 = i2_901) && (pkE_10 = pkE_11[ri_94, i2_901])) with ((pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_10 = pkE_11[ri_94, i2_901])) at 146 +yields + +Game 45 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk_1[i2_901], z_5)), exp(g, mult(sk_1[i2_901], sk_1))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && (pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_10 = pkE_11[ri_94, i2_901]) then + u_95 <= N <- i2_901; + return(AuthEncap_tuple(r_8[u_94, i2_901], enc_8)) + orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_93], enc_8)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R_1, pkS_4); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_8)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + kemContext_11: GGG_t <- concatContext(pkE_11, pkR_5, pk_S_1); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_80, u_81])) + orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + u_79 <= N <- i_1; + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- cst_eae_input_t; + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- cst_eae_input_t; + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying move all binders + - Move assignment to x_O_10 + - Move assignment to x_O_9 + - Move assignment to x_O_8 + - Move assignment to info_5 + - Move assignment to key_5 + - Move assignment to kemContext_11 + - Move assignment to x_O_6 + - Move assignment to info_4 + - Move assignment to key_4 + - Move assignment to kemContext_10 + - Move assignment to x_O_7 + - Move assignment to info_4 + - Move assignment to key_4 + - Move assignment to kemContext_10 +yields + +Game 46 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk_1[i2_901], z_5)), exp(g, mult(sk_1[i2_901], sk_1))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && (pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_10 = pkE_11[ri_94, i2_901]) then + u_95 <= N <- i2_901; + return(AuthEncap_tuple(r_8[u_94, i2_901], enc_8)) + orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_93], enc_8)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_8)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + dh_11: GG_t <- concatDH(exp(pkE_11, sk_1), exp(pk_S_1, sk_1)); + pkR_5: G_t <- exp(g, sk_1); + find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_80, u_81])) + orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + u_79 <= N <- i_1; + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying remove assignments of findcond + - Remove assignments on dh_11 (definition removed, all usages removed) + - Remove assignments on u_79 (definition removed, all usages removed) + - Remove assignments on dh_10 (definition removed, all usages removed) + - Remove assignments on dh_10 (definition removed, all usages removed) + - Remove assignments on u_95 (definition removed, all usages removed) +yields + +Game 47 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && (pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_10 = pkE_11[ri_94, i2_901]) then + return(AuthEncap_tuple(r_8[u_94, i2_901], enc_8)) + orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_5)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_93], enc_8)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_8)) + else + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_8)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + pkR_5: G_t <- exp(g, sk_1); + find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_80, u_81])) + orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_5[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_5[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying SA rename z_5 + - Rename variable z_5 into z_9, z_8 +yields + +Game 48 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_8 <-R Z_t; + pkE_10: G_t <- exp(g, z_8); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && (pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_10 = pkE_11[ri_94, i2_901]) then + return(AuthEncap_tuple(r_8[u_94, i2_901], enc_8)) + orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_93], enc_8)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_8)) + else + z_9 <-R Z_t; + pkE_10: G_t <- exp(g, z_9); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_8)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_8)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + pkR_5: G_t <- exp(g, sk_1); + find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_80, u_81])) + orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying SA rename enc_8 + - Rename variable enc_8 into enc_12, enc_11 +yields + +Game 49 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_8 <-R Z_t; + pkE_10: G_t <- exp(g, z_8); + enc_11: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && (pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_10 = pkE_11[ri_94, i2_901]) then + return(AuthEncap_tuple(r_8[u_94, i2_901], enc_11)) + orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_10 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_93], enc_11)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_11)) + else + z_9 <-R Z_t; + pkE_10: G_t <- exp(g, z_9); + enc_12: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_10 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_12)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_12)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + pkR_5: G_t <- exp(g, sk_1); + find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_10[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_10[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_80, u_81])) + orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_10[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_10[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_10[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_10[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying SA rename pkE_10 + - Rename variable pkE_10 into pkE_15, pkE_14 +yields + +Game 50 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ic_1 <= Qcperuser do + Ochall(sk'_1: Z_t) := + z_4 <-R Z_t; + pkE_9: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_9); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + ) | ( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i2_901 = i2_902 <= N suchthat defined(sk_1[i2_902]) && (pk_R_1 = exp(g, sk_1[i2_902])) then + z_8 <-R Z_t; + pkE_14: G_t <- exp(g, z_8); + enc_11: bitstring <- Serialize(pkE_14); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_94 = ri_94 <= Qdperuser suchthat defined(r_8[ri_94, i2_901], pkE_11[ri_94, i2_901], pk_S_1[ri_94, i2_901]) && (pkS_4 = pk_S_1[ri_94, i2_901]) && (pkE_14 = pkE_11[ri_94, i2_901]) then + return(AuthEncap_tuple(r_8[u_94, i2_901], enc_11)) + orfind u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_4 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_14 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i2_901], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i2_901], z_8)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + return(AuthEncap_tuple(r_9[u_93], enc_11)) + else + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_11)) + else + z_9 <-R Z_t; + pkE_15: G_t <- exp(g, z_9); + enc_12: bitstring <- Serialize(pkE_15); + pkS_4: G_t <- exp(g, sk_1); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_4 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_15 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_9) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_12)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_12)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd_1: bitstring) := + find ic1_1 = ic1 <= Qcperuser suchthat defined(k'[ic1], sk'_1[ic1], enc_7[ic1]) && (enc_7[ic1] = cd_1) && (exp(g, sk'_1[ic1]) = pk_S_1) then + return(AuthDecap_Some(k'[ic1_1])) + else + let Serialize(pkE_11: G_t) = cd_1 in + pkR_5: G_t <- exp(g, sk_1); + find [unique] u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(r_7[ri_80, ri_81], pkE_14[ri_80, ri_81], i2_901[ri_80, ri_81], pkS_4[ri_80, ri_81]) && (pk_S_1 = pkS_4[ri_80, ri_81]) && (i_1 = i2_901[ri_80, ri_81]) && (pkE_11 = pkE_14[ri_80, ri_81]) then + return(AuthDecap_Some(r_7[u_80, u_81])) + orfind u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_11[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_11 = pkE_11[ri_78]) then + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_5 = pkR''[ri_77]) && (pkE_11 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_11, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_9[ri_74, ri_75], sk_1[ri_75], pkE_15[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_4[ri_74, ri_75]) && (pkS'' = pkS_4[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_15[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_9[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_8[ri_72, ri_73], sk_1[ri_73], sk_1[i2_901[ri_72, ri_73]], pkE_14[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_4[ri_72, ri_73]) && (pkS'' = pkS_4[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_14[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i2_901[ri_72, ri_73]], z_8[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_11[ri_70, ri_71], pkR_5[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_5[ri_70, ri_71]) && (pkE'' = pkE_11[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_11[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Proved indistinguishability between game 50 and game 1 +Game 50 is the same as game 31. +Adv[Game 1: indistinguishability from game 31] <= Adv_GDH(time_1, 5 * Qh) + (N + #Ochall) * PDistRerandom + (#OADecap * Qcperuser + #OAEncap * N + 4 * N^2 + 4 * #Ochall * #OAEncap + 3 * #Ochall^2 + 8 * #OAEncap^2) * PCollKey + Adv[Game 31: indistinguishability from game 31] +Adv[Game 31: indistinguishability from game 31] <= 0 +Adv[Game 32: indistinguishability from game 50] <= (#OAEncap * N + 2 * #OAEncap^2 + 5 * N^2) * PCollKey + Adv[Game 50: indistinguishability from game 50] +Adv[Game 50: indistinguishability from game 50] <= 0 +RESULT Proved indistinguishability between game 32 and game 1 up to probability Adv_GDH(time_1, 5 * Qh) + (N + #Ochall) * PDistRerandom + (#OADecap * Qcperuser + 2 * #OAEncap * N + 9 * N^2 + 4 * #Ochall * #OAEncap + 3 * #Ochall^2 + 10 * #OAEncap^2) * PCollKey +RESULT time_1 = (#Ochall + #OAEncap) * time(Serialize) + #Ochall * time(AuthEncap_tuple, maxlength(game 28: enc_2)) + #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_9)) + #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_10)) + #OADecap * Qcperuser * time(= bitstring, maxlength(game 28: enc_2), maxlength(game 28: cd)) + (#OADecap * Qcperuser + 2 * Qh * #OAEncap + 3 * #Ochall + 2 * #OAEncap + 1 + N) * time(exp) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (2 * Qh * #Ochall + 3 * Qh * #OAEncap + 2 * Qh * #OADecap) * time(I2OSP2) + time +All queries proved. diff --git a/dhkem.auth.outsider-auth-lr.m4.ocv b/dhkem.auth.outsider-auth-lr.m4.ocv index 5a54982..0aabe26 100644 --- a/dhkem.auth.outsider-auth-lr.m4.ocv +++ b/dhkem.auth.outsider-auth-lr.m4.ocv @@ -1,5 +1,8 @@ proof { - allowed_collisions pest150; + allowed_collisions default^4/large; + (* We allow eliminating collisions with probability in power 4 of + N, Qeperuser, Qdperuser, Qcperuser times PCollKey, to allow q^2 * PCollKey, + where q = N * (Qeperuser + Qdperuser + Qcperuser) *) (* start on the left side *) out_game "l.out.cv"; @@ -149,7 +152,7 @@ include(`common.dhkem.ocv') event AuthEncap_does_not_fail. -param N, Qeperuser, Qdperuser [size30]. +param N, Qeperuser, Qdperuser. equivalence Ostart() := diff --git a/dhkem.auth.outsider-auth-lr.ocv b/dhkem.auth.outsider-auth-lr.ocv index 92d8ba7..117735f 100644 --- a/dhkem.auth.outsider-auth-lr.ocv +++ b/dhkem.auth.outsider-auth-lr.ocv @@ -1,5 +1,8 @@ proof { - allowed_collisions pest150; + allowed_collisions default^4/large; + (* We allow eliminating collisions with probability in power 4 of + N, Qeperuser, Qdperuser, Qcperuser times PCollKey, to allow q^2 * PCollKey, + where q = N * (Qeperuser + Qdperuser + Qcperuser) *) (* start on the left side *) out_game "l.out.cv"; @@ -129,8 +132,8 @@ proof { type G_t [bounded]. fun Serialize(G_t): bitstring [data]. -type Z_t [bounded,pcoll250,nonuniform]. -proba PCollKey [pest250]. +type Z_t [bounded,nonuniform]. +proba PCollKey. expand DH_proba_collision_minimal( G_t, @@ -315,7 +318,7 @@ letfun AuthDecap(key_extr: hash_key_t, enc: bitstring, skR: Z_t, pkS: G_t) = event AuthEncap_does_not_fail. -param N, Qeperuser, Qdperuser [size30]. +param N, Qeperuser, Qdperuser. equivalence Ostart() := diff --git a/dhkem.auth.outsider-auth-lr.proof b/dhkem.auth.outsider-auth-lr.proof index 611173d..c6e25a5 100644 --- a/dhkem.auth.outsider-auth-lr.proof +++ b/dhkem.auth.outsider-auth-lr.proof @@ -1,6227 +1,5932 @@ -Initial state -Game 1 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - return((skS: Z_t <- sk; {23}let (skE: Z_t, pkE_2: G_t) = (z <-R Z_t; (z, exp(g, z))) in dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); enc_1: bitstring <- Serialize(pkE_2); pkS: G_t <- exp(g, skS); kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); zz_2: eae_output_t <- (key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info))); AuthEncap_tuple(zz_2, enc_1) else AuthEncap_None)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - return((skR: Z_t <- sk; let Serialize(pkE_3: G_t) = enc_2 in dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); pkR_1: G_t <- exp(g, skR); kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); zz_3: eae_output_t <- (key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1))); AuthDecap_Some(zz_3) else AuthDecap_None)) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern (skE: Z_t, pkE_2: G_t) (tuple expanded) at 23 - - Remove else branch of let at 23 -yields - -Game 2 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - skS: Z_t <- sk; - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - skE: Z_t <- z; - dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, skS); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - skR: Z_t <- sk; - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); - pkR_1: G_t <- exp(g, skR); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR (definition removed, all usages removed) - - Remove assignments on skS (definition removed, all usages removed) - - Remove assignments on skE (definition removed, all usages removed) -yields - -Game 3 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - {116} dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying insert instruction find ie1_1 = ie1 <= Qeperuser, i1_3 = i1_2 <= N suchthat - defined(zz_2[ie1, i1_2], enc_1[ie1, i1_2], sk[i1_2], pk_R[ie1, i1_2]) - && (exp(g, sk) = pk_R[ie1, i1_2]) - && (exp(g, sk[i1_2]) = pk_S) - && (enc_1[ie1, i1_2] = enc_2) then - orfind id1_1 = id1 <= Qdperuser suchthat - defined(random_br[id1], zz_3[id1], enc_2[id1], pk_S[id1]) - && (pk_S[id1] = pk_S) - && (enc_2[id1] = enc_2) then - else - find i1_1 = i1 <= N suchthat - defined(sk[i1]) - && (pk_S = exp(g, sk[i1])) then - random_br <- true at occurrence 116 -yields - -Game 4 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - {116} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], enc_1[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && {124}((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (enc_1[ie1_3, i1_9] = enc_2)) then - dh_3: GG_t <- {150}concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(random_br[id1_3], zz_3[id1_3], enc_2[id1_3], pk_S[id1_3]) && {229}((pk_S[id1_3] = pk_S) && (enc_2[id1_3] = enc_2)) then - dh_3: GG_t <- {245}concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - random_br: bool <- true; - dh_3: GG_t <- {329}concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced concatDH(exp(pkE_3, sk), exp(pk_S, sk)) with concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))) at 329 - - Replaced ((pk_S[id1_3] = pk_S) && (enc_2[id1_3] = enc_2)) with ((pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3)) at 229 - - Replaced concatDH(exp(pkE_3, sk), exp(pk_S, sk)) with concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))) at 245 - - Replaced defined condition random_br[id1_3], zz_3[id1_3], enc_2[id1_3], pk_S[id1_3] with random_br[id1_3], zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3] in find at 116 - - Replaced ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (enc_1[ie1_3, i1_9] = enc_2)) with ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) at 124 - - Replaced concatDH(exp(pkE_3, sk), exp(pk_S, sk)) with concatDH(exp(g, mult(z[ie1_2, i1_8], sk)), exp(g, mult(sk[i1_8], sk))) at 150 - - Replaced defined condition zz_2[ie1_3, i1_9], enc_1[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] with zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] in find at 116 -yields - -Game 5 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - dh_3: GG_t <- concatDH(exp(g, mult(z[ie1_2, i1_8], sk)), exp(g, mult(sk[i1_8], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some({222}zz_3)) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(random_br[id1_3], zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - random_br: bool <- true; - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying replace term at occurrence 222 with zz_2[ie1_2, i1_8] -yields - -Game 6 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - dh_3: GG_t <- concatDH(exp(g, mult(z[ie1_2, i1_8], sk)), exp(g, mult(sk[i1_8], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(random_br[id1_3], zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - random_br: bool <- true; - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of useless - - Remove assignments on random_br (definition point kept, all usages removed) - - Remove assignments on zz_3 (definition point kept, all usages removed) - - Remove assignments on key_1 (definition removed, all usages removed) - - Remove assignments on info_1 (definition removed, all usages removed) - - Remove assignments on dh_3 (definition removed, all usages removed) - - Remove assignments on kemContext_3 (definition removed, all usages removed) - - Remove assignments on pkR_1 (definition removed, all usages removed) -yields - -Game 7 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - zz_3: eae_output_t <- cst_eae_output_t; - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(random_br[id1_3], zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some({258}zz_3)) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - random_br: bool <- cst_bool; - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying replace term at occurrence 258 with zz_3[id1_2] -yields - -Game 8 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - zz_3: eae_output_t <- cst_eae_output_t; - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - random_br: bool <- cst_bool; - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename zz_3 - - Rename variable zz_3 into zz_13, zz_12, zz_11, zz_10 -yields - -Game 9 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - zz_10: eae_output_t <- cst_eae_output_t; - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_10[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_10[id1_2])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_11[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_11[id1_2])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12[id1_2])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_13[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - random_br: bool <- cst_bool; - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on random_br (definition removed, all usages removed) -yields - -Game 10 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - {116} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - zz_10: eae_output_t <- cst_eae_output_t; - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_10[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_10[id1_2])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_11[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_11[id1_2])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12[id1_2])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_13[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify - - Simplification pass - - Remove branch 5 in find at 116 - - Remove branch 3 in find at 116 - - Remove branch 2 in find at 116 - - Replaced defined condition zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] with zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] in find at 116 -yields - -Game 11 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - zz_10: eae_output_t <- cst_eae_output_t; - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename dh_3 - - Rename variable dh_3 into dh_12, dh_11, dh_10 -yields - -Game 12 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - zz_10: eae_output_t <- cst_eae_output_t; - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - dh_10: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on zz_10 (definition removed, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on key_1 (definition removed, all usages removed) - - Remove assignments on info_1 (definition removed, all usages removed) - - Remove assignments on dh_10 (definition removed, all usages removed) - - Remove assignments on kemContext_3 (definition removed, all usages removed) - - Remove assignments on pkR_1 (definition removed, all usages removed) -yields - -Game 13 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - {116} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3] with zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3] in find at 116 -yields - -Game 14 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename kemContext_3 - - Rename variable kemContext_3 into kemContext_11, kemContext_10 -yields - -Game 15 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename key_1 - - Rename variable key_1 into key_6, key_5 -yields - -Game 16 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_1)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_1)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename info_1 - - Rename variable info_1 into info_6, info_5 -yields - -Game 17 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - {18} z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying insert instruction find i1 <= N suchthat - defined(sk[i1]) - && pk_R = exp(g, sk[i1]) then at occurrence 18 -yields - -Game 18 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - else - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename z - - Rename variable z into z_3, z_2 -yields - -Game 19 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_2: GG_t <- {36}concatDH(exp(pk_R, z_2), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_2: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced concatDH(exp(pk_R, z_2), exp(pk_R, sk)) with concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))) at 36 -yields - -Game 20 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_2: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename enc_1 - - Rename variable enc_1 into enc_8, enc_7 -yields - -Game 21 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_2: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename dh_2 - - Rename variable dh_2 into dh_14, dh_13 -yields - -Game 22 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_2[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename zz_2 - - Rename variable zz_2 into zz_15, zz_14 -yields - -Game 23 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - {222} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && {230}((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_15[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && {273}((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) then - return(AuthDecap_Some(zz_15[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify [probability (N * N + #OAEncap * N) * PCollKey] - - Simplification pass - - Replaced ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) with false at 273 - - Remove branch 2 in find at 222 - - Replaced ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) with ((i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) at 230 - - Replaced defined condition zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] with zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9] in find at 222 -yields - -Game 24 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename kemContext_2 - - Rename variable kemContext_2 into kemContext_13, kemContext_12 -yields - -Game 25 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename key - - Rename variable key into key_8, key_7 -yields - -Game 26 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename info - - Rename variable info into info_8, info_7 -yields - -Game 27 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info_7)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info_8)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_1: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename pkR_1 - - Rename variable pkR_1 into pkR_6, pkR_5 -yields - -Game 28 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info_7)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info_8)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - {466} return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying insert instruction let eae_input( - salt: extract_salt_t, - concatExtract( - protocol1: label_protocol_t, - suite1: suite_id_t, - label1: label_extract_t, - concatDH(dh1: G_t, dh2: G_t)), - concatExpand( - l: two_byte_t, - protocol2: label_protocol_t, - suite2: suite_id_t, - label2: label_expand_t, - concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in at occurrence 466 -yields - -Game 29 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info_7)); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info_8)); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return(ExtractAndExpand_inner(key_extr_3, x1)) - else - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying equivalence rom(ExtractAndExpand_inner) - - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_3 -> hk -yields - -Game 30 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {104}find [unique] u_58 = ri_58 <= Qeperuser, u_59 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && (x_O_1 = x_O[ri_58, ri_59]) then r[u_58, u_59] orfind u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && (x_O_1 = x_O_1[ri_56, ri_57]) then r_1[u_56, u_57] orfind u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && (x_O_1 = x_O_2[ri_54, ri_55]) then r_2[u_54, u_55] orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O_1 = x_O_3[ri_52, ri_53]) then r_3[u_52, u_53] orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O_1 = x_O_4[ri_51]) then r_4[u_51] orfind u_50 = ri_50 <= Qh suchthat defined(x_O_5[ri_50], r_5[ri_50]) && {191}(x_O_1 = x_O_5[ri_50]) then r_5[u_50] else r_1 <-R eae_output_t; r_1); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); {294}find [unique] u_48 = ri_48 <= Qeperuser, u_49 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && (x_O = x_O[ri_48, ri_49]) then r[u_48, u_49] orfind u_46 = ri_46 <= Qeperuser, u_47 = ri_47 <= N suchthat defined(x_O_1[ri_46, ri_47], r_1[ri_46, ri_47]) && (x_O = x_O_1[ri_46, ri_47]) then r_1[u_46, u_47] orfind u_44 = ri_44 <= Qdperuser, u_45 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O = x_O_2[ri_44, ri_45]) then r_2[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O = x_O_3[ri_42, ri_43]) then r_3[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O = x_O_4[ri_41]) then r_4[u_41] orfind u_40 = ri_40 <= Qh suchthat defined(x_O_5[ri_40], r_5[ri_40]) && {381}(x_O = x_O_5[ri_40]) then r_5[u_40] else r <-R eae_output_t; r); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {563}find [unique] u_38 = ri_38 <= Qeperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && (x_O_3 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_3 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_3 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_3 = x_O_3[ri_32, ri_33]) then r_3[u_32, u_33] orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_3 = x_O_4[ri_31]) then r_4[u_31] orfind u_30 = ri_30 <= Qh suchthat defined(x_O_5[ri_30], r_5[ri_30]) && {650}(x_O_3 = x_O_5[ri_30]) then r_5[u_30] else r_3 <-R eae_output_t; r_3); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {735}find [unique] u_28 = ri_28 <= Qeperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_2 = x_O[ri_28, ri_29]) then r[u_28, u_29] orfind u_26 = ri_26 <= Qeperuser, u_27 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_2 = x_O_1[ri_26, ri_27]) then r_1[u_26, u_27] orfind u_24 = ri_24 <= Qdperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_2 = x_O_2[ri_24, ri_25]) then r_2[u_24, u_25] orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_2 = x_O_3[ri_22, ri_23]) then r_3[u_22, u_23] orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_2 = x_O_4[ri_21]) then r_4[u_21] orfind u_20 = ri_20 <= Qh suchthat defined(x_O_5[ri_20], r_5[ri_20]) && {822}(x_O_2 = x_O_5[ri_20]) then r_5[u_20] else r_2 <-R eae_output_t; r_2); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return((x_O_4: eae_input_t <- x1; {873}find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_18, u_19] orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_16, u_17] orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_14, u_15] orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_12, u_13] orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_11] orfind u_10 = ri_10 <= Qh suchthat defined(x_O_5[ri_10], r_5[ri_10]) && {946}(x_O_4 = x_O_5[ri_10]) then r_5[u_10] else r_4 <-R eae_output_t; r_4)) - else - return((x_O_5: eae_input_t <- x1; {963}find [unique] u_8 = ri_8 <= Qeperuser, u_9 = ri_9 <= N suchthat defined(x_O[ri_8, ri_9], r[ri_8, ri_9]) && {968}(x_O_5 = x_O[ri_8, ri_9]) then r[u_8, u_9] orfind u_6 = ri_6 <= Qeperuser, u_7 = ri_7 <= N suchthat defined(x_O_1[ri_6, ri_7], r_1[ri_6, ri_7]) && {983}(x_O_5 = x_O_1[ri_6, ri_7]) then r_1[u_6, u_7] orfind u_4 = ri_4 <= Qdperuser, u_5 = ri_5 <= N suchthat defined(x_O_2[ri_4, ri_5], r_2[ri_4, ri_5]) && {998}(x_O_5 = x_O_2[ri_4, ri_5]) then r_2[u_4, u_5] orfind u_2 = ri_2 <= Qdperuser, u_3 = ri_3 <= N suchthat defined(x_O_3[ri_2, ri_3], r_3[ri_2, ri_3]) && {1013}(x_O_5 = x_O_3[ri_2, ri_3]) then r_3[u_2, u_3] orfind u_1 = ri_1 <= Qh suchthat defined(x_O_4[ri_1], r_4[ri_1]) && {1026}(x_O_5 = x_O_4[ri_1]) then r_4[u_1] orfind u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u] else r_5 <-R eae_output_t; r_5)) - )) - - -Applying simplify (non-expanded game) [probability N * N * PCollKey] - - Simplification pass - - Replaced (x_O_1 = x_O_5[ri_50]) with false at 191 - - Remove branch 6 in find at 104 - - Replaced (x_O = x_O_5[ri_40]) with false at 381 - - Remove branch 6 in find at 294 - - Replaced (x_O_3 = x_O_5[ri_30]) with false at 650 - - Remove branch 6 in find at 563 - - Replaced (x_O_2 = x_O_5[ri_20]) with false at 822 - - Remove branch 6 in find at 735 - - Replaced (x_O_4 = x_O_5[ri_10]) with false at 946 - - Remove branch 6 in find at 873 - - Replaced (x_O_5 = x_O_4[ri_1]) with false at 1026 - - Remove branch 5 in find at 963 - - Replaced (x_O_5 = x_O_3[ri_2, ri_3]) with false at 1013 - - Remove branch 4 in find at 963 - - Replaced (x_O_5 = x_O_2[ri_4, ri_5]) with false at 998 - - Remove branch 3 in find at 963 - - Replaced (x_O_5 = x_O_1[ri_6, ri_7]) with false at 983 - - Remove branch 2 in find at 963 - - Replaced (x_O_5 = x_O[ri_8, ri_9]) with false at 968 - - Remove branch 1 in find at 963 -yields - -Game 31 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - zz_14: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {104}find [unique] u_58 = ri_58 <= Qeperuser, u_59 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && (x_O_1 = x_O[ri_58, ri_59]) then r[u_58, u_59] orfind u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && (x_O_1 = x_O_1[ri_56, ri_57]) then r_1[u_56, u_57] orfind u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && (x_O_1 = x_O_2[ri_54, ri_55]) then r_2[u_54, u_55] orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O_1 = x_O_3[ri_52, ri_53]) then r_3[u_52, u_53] orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O_1 = x_O_4[ri_51]) then r_4[u_51] else r_1 <-R eae_output_t; r_1); - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - zz_15: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); {282}find [unique] u_48 = ri_48 <= Qeperuser, u_49 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && (x_O = x_O[ri_48, ri_49]) then r[u_48, u_49] orfind u_46 = ri_46 <= Qeperuser, u_47 = ri_47 <= N suchthat defined(x_O_1[ri_46, ri_47], r_1[ri_46, ri_47]) && (x_O = x_O_1[ri_46, ri_47]) then r_1[u_46, u_47] orfind u_44 = ri_44 <= Qdperuser, u_45 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O = x_O_2[ri_44, ri_45]) then r_2[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O = x_O_3[ri_42, ri_43]) then r_3[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O = x_O_4[ri_41]) then r_4[u_41] else r <-R eae_output_t; r); - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_12: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {539}find [unique] u_38 = ri_38 <= Qeperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && (x_O_3 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_3 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_3 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_3 = x_O_3[ri_32, ri_33]) then r_3[u_32, u_33] orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_3 = x_O_4[ri_31]) then r_4[u_31] else r_3 <-R eae_output_t; r_3); - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_13: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {699}find [unique] u_28 = ri_28 <= Qeperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_2 = x_O[ri_28, ri_29]) then r[u_28, u_29] orfind u_26 = ri_26 <= Qeperuser, u_27 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_2 = x_O_1[ri_26, ri_27]) then r_1[u_26, u_27] orfind u_24 = ri_24 <= Qdperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_2 = x_O_2[ri_24, ri_25]) then r_2[u_24, u_25] orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_2 = x_O_3[ri_22, ri_23]) then r_3[u_22, u_23] orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_2 = x_O_4[ri_21]) then r_4[u_21] else r_2 <-R eae_output_t; r_2); - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return((x_O_4: eae_input_t <- x1; find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_18, u_19] orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_16, u_17] orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_14, u_15] orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_12, u_13] orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_11] else r_4 <-R eae_output_t; r_4)) - else - return((x_O_5: eae_input_t <- x1; find [unique] u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u] else r_5 <-R eae_output_t; r_5)) - )) - - -Applying expand [probability (4 * #OAEncap * Qeperuser + #OAEncap * N + N * N + #OADecap * N) * PCollKey] - - Expand if/find/let - - Remove branch 4 in find at 699 - - Remove branch 2 in find at 699 - - Remove branch 1 in find at 699 - - Remove branch 3 in find at 539 - - Remove branch 1 in find at 539 - - Remove branch 4 in find at 282 - - Remove branch 3 in find at 282 - - Remove branch 2 in find at 282 - - Remove branch 1 in find at 282 - - Remove branch 3 in find at 104 - - Remove branch 2 in find at 104 - - Remove branch 1 in find at 104 -yields - -Game 32 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - find [unique] u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O_1 = x_O_3[ri_52, ri_53]) then - zz_14: eae_output_t <- r_3[u_52, u_53]; - return(AuthEncap_tuple(zz_14, enc_7)) - orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O_1 = x_O_4[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(zz_14, enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(zz_14, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); - find [unique] u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O = x_O_4[ri_41]) then - zz_15: eae_output_t <- r_4[u_41]; - return(AuthEncap_tuple(zz_15, enc_8)) - else - r <-R eae_output_t; - zz_15: eae_output_t <- r; - return(AuthEncap_tuple(zz_15, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_3 = x_O_1[ri_36, ri_37]) then - zz_12: eae_output_t <- r_1[u_36, u_37]; - return(AuthDecap_Some(zz_12)) - orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_3 = x_O_3[ri_32, ri_33]) then - zz_12: eae_output_t <- r_3[u_32, u_33]; - return(AuthDecap_Some(zz_12)) - orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_3 = x_O_4[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(zz_12)) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(zz_12)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_24 = ri_24 <= Qdperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_2 = x_O_2[ri_24, ri_25]) then - zz_13: eae_output_t <- r_2[u_24, u_25]; - return(AuthDecap_Some(zz_13)) - orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_2 = x_O_4[ri_21]) then - zz_13: eae_output_t <- r_4[u_21]; - return(AuthDecap_Some(zz_13)) - else - r_2 <-R eae_output_t; - zz_13: eae_output_t <- r_2; - return(AuthDecap_Some(zz_13)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- x1; - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- x1; - find [unique] u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_O_5 (definition point kept, all usages removed) - - Remove assignments on x_O_4 (definition point kept, all usages removed) - - Remove assignments on zz_13 (definition removed, all usages removed) - - Remove assignments on zz_13 (definition removed, all usages removed) - - Remove assignments on zz_13 (definition removed, all usages removed) - - Remove assignments on zz_12 (definition kept, array references kept) - - Remove assignments on zz_12 (definition kept, array references kept) - - Remove assignments on zz_12 (definition kept, array references kept) - - Remove assignments on zz_12 (definition kept, array references kept) - - Remove assignments on zz_15 (definition removed, all usages removed) - - Remove assignments on zz_15 (definition removed, all usages removed) - - Remove assignments on zz_14 (definition kept, array references kept) - - Remove assignments on zz_14 (definition kept, array references kept) - - Remove assignments on zz_14 (definition kept, array references kept) -yields - -Game 33 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - {103} find [unique] u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && {108}(x_O_1 = x_O_3[ri_52, ri_53]) then - zz_14: eae_output_t <- r_3[u_52, u_53]; - return(AuthEncap_tuple(r_3[u_52, u_53], enc_7)) - orfind u_51 = ri_51 <= Qh suchthat defined(x1[ri_51], x_O_4[ri_51], r_4[ri_51]) && {141}(x_O_1 = x1[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); - {258} find [unique] u_41 = ri_41 <= Qh suchthat defined(x1[ri_41], x_O_4[ri_41], r_4[ri_41]) && {262}(x_O = x1[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - {447} find [unique] u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && {452}(x_O_3 = x_O_1[ri_36, ri_37]) then - zz_12: eae_output_t <- r_1[u_36, u_37]; - return(AuthDecap_Some(r_1[u_36, u_37])) - orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && {483}(x_O_3 = x_O_3[ri_32, ri_33]) then - zz_12: eae_output_t <- r_3[u_32, u_33]; - return(AuthDecap_Some(r_3[u_32, u_33])) - orfind u_31 = ri_31 <= Qh suchthat defined(x1[ri_31], x_O_4[ri_31], r_4[ri_31]) && {513}(x_O_3 = x1[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(r_4[u_31])) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - {609} find [unique] u_24 = ri_24 <= Qdperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && {614}(x_O_2 = x_O_2[ri_24, ri_25]) then - return(AuthDecap_Some(r_2[u_24, u_25])) - orfind u_21 = ri_21 <= Qh suchthat defined(x1[ri_21], x_O_4[ri_21], r_4[ri_21]) && {635}(x_O_2 = x1[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- cst_eae_input_t; - {684} find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && {689}(x1 = x_O[ri_18, ri_19]) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && {707}(x1 = x_O_1[ri_16, ri_17]) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && {725}(x1 = x_O_2[ri_14, ri_15]) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && {743}(x1 = x_O_3[ri_12, ri_13]) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(x1[ri_11], x_O_4[ri_11], r_4[ri_11]) && {760}(x1 = x1[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- cst_eae_input_t; - {780} find [unique] u = ri <= Qh suchthat defined(x1[ri], x_O_5[ri], r_5[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying simplify [probability (8 * N * N + #OADecap * N) * PCollKey] - - Simplification pass - - Replaced defined condition x1[ri], x_O_5[ri], r_5[ri] with r_5[ri], x1[ri] in find at 780 - - Replaced (x1 = x1[ri_11]) with ((pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11])) at 760 - - Replaced defined condition x1[ri_11], x_O_4[ri_11], r_4[ri_11] with r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11] in find at 684 - - Replaced (x1 = x_O_3[ri_12, ri_13]) with ((pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 743 - - Replaced defined condition x_O_3[ri_12, ri_13], r_3[ri_12, ri_13] with r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13] in find at 684 - - Replaced (x1 = x_O_2[ri_14, ri_15]) with ((pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 725 - - Replaced defined condition x_O_2[ri_14, ri_15], r_2[ri_14, ri_15] with r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15] in find at 684 - - Replaced (x1 = x_O_1[ri_16, ri_17]) with ((pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 707 - - Replaced defined condition x_O_1[ri_16, ri_17], r_1[ri_16, ri_17] with r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17] in find at 684 - - Replaced (x1 = x_O[ri_18, ri_19]) with ((pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 689 - - Replaced defined condition x_O[ri_18, ri_19], r[ri_18, ri_19] with r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19] in find at 684 - - Replaced (x_O_2 = x1[ri_21]) with ((pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21])) at 635 - - Replaced defined condition x1[ri_21], x_O_4[ri_21], r_4[ri_21] with r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21] in find at 609 - - Replaced (x_O_2 = x_O_2[ri_24, ri_25]) with ((pk_S = pk_S[ri_24, ri_25]) && (i = ri_25) && (pkE_3 = pkE_3[ri_24, ri_25])) at 614 - - In branch 1 of find at 609, substituting u_25 with i - - Replaced defined condition x_O_2[ri_24, ri_25], r_2[ri_24, ri_25] with r_2[ri_24], pkE_3[ri_24], pk_S[ri_24] in find at 609 - - Replaced (x_O_3 = x1[ri_31]) with ((pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31])) at 513 - - Replaced defined condition x1[ri_31], x_O_4[ri_31], r_4[ri_31] with r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31] in find at 447 - - Replaced (x_O_3 = x_O_3[ri_32, ri_33]) with ((i1_6[id, ri_33] = i1_6[ri_32, ri_33]) && (i = ri_33) && (pkE_3 = pkE_3[ri_32, ri_33])) at 483 - - Remove branch 2 in find at 447 - - Replaced (x_O_3 = x_O_1[ri_36, ri_37]) with ((i1_6 = ri_37) && (i = i1_10[ri_36, ri_37]) && (pkE_3 = pkE_2[ri_36, ri_37])) at 452 - - Remove branch 1 in find at 447 - - Replaced (x_O = x1[ri_41]) with ((pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41])) at 262 - - Replaced defined condition x1[ri_41], x_O_4[ri_41], r_4[ri_41] with r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41] in find at 258 - - Replaced (x_O_1 = x1[ri_51]) with ((pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51])) at 141 - - Replaced defined condition x1[ri_51], x_O_4[ri_51], r_4[ri_51] with r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51] in find at 103 - - Replaced (x_O_1 = x_O_3[ri_52, ri_53]) with ((i = i1_6[ri_52, ri_53]) && (i1_10 = ri_53) && (pkE_2 = pkE_3[ri_52, ri_53])) at 108 - - In branch 1 of find at 103, substituting u_53 with i1_10 - - Replaced defined condition x_O_3[ri_52, ri_53], r_3[ri_52, ri_53] with r_3[ri_52, i1_10], pkE_3[ri_52, i1_10], i1_6[ri_52, i1_10] in find at 103 -yields - -Game 34 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - {103} find [unique] u_52 = ri_52 <= Qdperuser suchthat defined(r_3[ri_52, i1_10], pkE_3[ri_52, i1_10], i1_6[ri_52, i1_10]) && {116}((i = i1_6[ri_52, i1_10]) && (i1_10 = i1_10) && (pkE_2 = pkE_3[ri_52, i1_10])) then - u_53 <= N <- i1_10; - zz_14: eae_output_t <- r_3[u_52, i1_10]; - return(AuthEncap_tuple(r_3[u_52, i1_10], enc_7)) - orfind u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(r_4[u_31])) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && {854}((pk_S = pk_S[ri_24]) && (i = i) && (pkE_3 = pkE_3[ri_24])) then - u_25 <= N <- i; - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- cst_eae_input_t; - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- cst_eae_input_t; - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying simplify [probability (#OAEncap * Qdperuser + N * N) * PCollKey] - - Simplification pass - - Replaced ((pk_S = pk_S[ri_24]) && (i = i) && (pkE_3 = pkE_3[ri_24])) with ((pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24])) at 854 - - Replaced ((i = i1_6[ri_52, i1_10]) && (i1_10 = i1_10) && (pkE_2 = pkE_3[ri_52, i1_10])) with false at 116 - - Remove branch 1 in find at 103 -yields - -Game 35 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); - info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); - find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); - info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); - x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(r_4[u_31])) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - u_25 <= N <- i; - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_4: eae_input_t <- cst_eae_input_t; - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - x_O_5: eae_input_t <- cst_eae_input_t; - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying move all binders - - Move assignment to x_O_5 - - Move assignment to x_O_4 - - Move assignment to x_O_2 - - Move assignment to info_6 - - Move assignment to key_6 - - Move assignment to kemContext_11 - - Move assignment to x_O_3 - - Move assignment to info_5 - - Move assignment to key_5 - - Move assignment to kemContext_10 - - Move assignment to x_O - - Move assignment to info_8 - - Move assignment to key_8 - - Move assignment to kemContext_13 - - Move assignment to x_O_1 - - Move assignment to info_7 - - Move assignment to key_7 - - Move assignment to kemContext_12 -yields - -Game 36 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); - pkR_5: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(r_4[u_31])) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_6: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - u_25 <= N <- i; - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying remove assignments of findcond - - Remove assignments on dh_12 (definition removed, all usages removed) - - Remove assignments on u_25 (definition removed, all usages removed) - - Remove assignments on dh_11 (definition removed, all usages removed) - - Remove assignments on dh_14 (definition removed, all usages removed) - - Remove assignments on dh_13 (definition removed, all usages removed) -yields - -Game 37 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - pkR_5: G_t <- exp(g, sk); - find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(r_4[u_31])) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - pkR_6: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying equivalence gdh(exp) with z_2, sk. [probability Adv_sqGDH(time(context for game 37) + time + (1 + #OAEncap + N) * time(exp), 4 * Qh * Qdperuser + 3 * Qh * N + N * #OAEncap + N * #OADecap) + (#OAEncap + N) * PDistRerandom + (2 * #OAEncap * Qeperuser + N * N) * PCollKey] - - Equivalence gdh(exp) with variables: sk -> a, z_2 -> a. -yields - -Game 38 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (m_1: G_t <- pk_R; m'_1: G_t <- g; (m_1 = exp(m'_1, sk[i1_11]))) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - {54} find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (m_3: G_t <- dh2[ri_51]; false) && (m_2: G_t <- dh1[ri_51]; false) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then - zz_14: eae_output_t <- r_4[u_51]; - return(AuthEncap_tuple(r_4[u_51], enc_7)) - else - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m: G_t <- dh2[ri_41]; m': G_t <- pk_R; (m = exp(m', sk))) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (m_9: G_t <- pk_S; m'_6: G_t <- g; (m_9 = exp(m'_6, sk[i1_9]))) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_6: G_t <- pk_S; m'_4: G_t <- g; (m_6 = exp(m'_4, sk[i1_7]))) then - pkR_5: G_t <- exp(g, sk); - {441} find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (m_8: G_t <- dh2[ri_31]; false) && (m_7: G_t <- dh1[ri_31]; m'_5: G_t <- pkE_3; (m_7 = exp(m'_5, sk))) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then - zz_12: eae_output_t <- r_4[u_31]; - return(AuthDecap_Some(r_4[u_31])) - else - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - pkR_6: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_5: G_t <- dh2[ri_21]; m'_3: G_t <- pk_S; (m_5 = exp(m'_3, sk))) && (m_4: G_t <- dh1[ri_21]; m'_2: G_t <- pkE_3; (m_4 = exp(m'_2, sk))) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - {757} find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_10: G_t <- dh2; m'_7: G_t <- pk_R[ri_18, ri_19]; (m_10 = exp(m'_7, sk[ri_19]))) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_12: G_t <- dh2; false) && (m_11: G_t <- dh1; false) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_16, u_17]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14: G_t <- dh2; m'_9: G_t <- pk_S[ri_14, ri_15]; (m_14 = exp(m'_9, sk[ri_15]))) && (m_13: G_t <- dh1; m'_8: G_t <- pkE_3[ri_14, ri_15]; (m_13 = exp(m'_8, sk[ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_16: G_t <- dh2; false) && (m_15: G_t <- dh1; m'_10: G_t <- pkE_3[ri_12, ri_13]; (m_15 = exp(m'_10, sk[ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_3[u_12, u_13]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying expand - - Expand if/find/let - - Remove branch 4 in find at 757 - - Remove branch 2 in find at 757 - - Remove branch 1 in find at 441 - - Find at 441 removed (else branch kept if any) - - Remove branch 1 in find at 54 - - Find at 54 removed (else branch kept if any) -yields - -Game 39 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (m_1: G_t <- pk_R; m'_1: G_t <- g; (m_1 = exp(m'_1, sk[i1_11]))) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - r_1 <-R eae_output_t; - zz_14: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (m: G_t <- dh2[ri_41]; m': G_t <- pk_R; ((pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m = exp(m', sk)) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]))) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (m_9: G_t <- pk_S; m'_6: G_t <- g; ((i = i1_10[ie1_3, i1_9]) && (m_9 = exp(m'_6, sk[i1_9])) && (pkE_2[ie1_3, i1_9] = pkE_3))) then - return(AuthDecap_Some(zz_14[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(zz_12[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_6: G_t <- pk_S; m'_4: G_t <- g; (m_6 = exp(m'_4, sk[i1_7]))) then - pkR_5: G_t <- exp(g, sk); - r_3 <-R eae_output_t; - zz_12: eae_output_t <- r_3; - return(AuthDecap_Some(r_3)) - else - pkR_6: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (m_5: G_t <- dh2[ri_21]; m'_3: G_t <- pk_S; m_4: G_t <- dh1[ri_21]; m'_2: G_t <- pkE_3; ((pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_5 = exp(m'_3, sk)) && (m_4 = exp(m'_2, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]))) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (m_10: G_t <- dh2; m'_7: G_t <- pk_R[ri_18, ri_19]; ((pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_10 = exp(m'_7, sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r[u_18, u_19]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (m_14: G_t <- dh2; m'_9: G_t <- pk_S[ri_14, ri_15]; m_13: G_t <- dh1; m'_8: G_t <- pkE_3[ri_14, ri_15]; ((pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14 = exp(m'_9, sk[ri_15])) && (m_13 = exp(m'_8, sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r_2[u_14, u_15]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying remove assignments of findcond - - Remove assignments on m_10 (definition removed, all usages removed) - - Remove assignments on m'_7 (definition removed, all usages removed) - - Remove assignments on m_14 (definition removed, all usages removed) - - Remove assignments on m'_9 (definition removed, all usages removed) - - Remove assignments on m_13 (definition removed, all usages removed) - - Remove assignments on m'_8 (definition removed, all usages removed) - - Remove assignments on m_5 (definition removed, all usages removed) - - Remove assignments on m'_3 (definition removed, all usages removed) - - Remove assignments on m_4 (definition removed, all usages removed) - - Remove assignments on m'_2 (definition removed, all usages removed) - - Remove assignments on pkR_5 (definition removed, all usages removed) - - Remove assignments on zz_12 (definition removed, all usages removed) - - Remove assignments on m_6 (definition removed, all usages removed) - - Remove assignments on m'_4 (definition removed, all usages removed) - - Remove assignments on m_9 (definition removed, all usages removed) - - Remove assignments on m'_6 (definition removed, all usages removed) - - Remove assignments on m (definition removed, all usages removed) - - Remove assignments on m' (definition removed, all usages removed) - - Remove assignments on zz_14 (definition removed, all usages removed) - - Remove assignments on m_1 (definition removed, all usages removed) - - Remove assignments on m'_1 (definition removed, all usages removed) -yields - -Game 40 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (dh2[ri_41] = exp(pk_R, sk)) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - {205} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(r_1[ie1_3, i1_9], r_1[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(r_1[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(r_3[id1_3], r_3[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(r_3[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - pkR_6: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (dh2[ri_21] = exp(pk_S, sk)) && (dh1[ri_21] = exp(pkE_3, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition r_3[id1_3], r_3[id1_3], pkE_3[id1_3], pk_S[id1_3] with r_3[id1_3], pkE_3[id1_3], pk_S[id1_3] in find at 205 - - Replaced defined condition r_1[ie1_3, i1_9], r_1[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9] with r_1[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9] in find at 205 -yields - -Game 41 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then - z_2 <-R Z_t; - pkE_2: G_t <- exp(g, z_2); - enc_7: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_7)) - else - z_3 <-R Z_t; - pkE_2: G_t <- exp(g, z_3); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (dh2[ri_41] = exp(pk_R, sk)) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then - return(AuthEncap_tuple(r_4[u_41], enc_8)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_8)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(r_1[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (pkE_2[ie1_3, i1_9] = pkE_3) then - return(AuthDecap_Some(r_1[ie1_2, i1_8])) - orfind id1_2 = id1_3 <= Qdperuser suchthat defined(r_3[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then - return(AuthDecap_Some(r_3[id1_2])) - else - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then - r_3 <-R eae_output_t; - return(AuthDecap_Some(r_3)) - else - pkR_6: G_t <- exp(g, sk); - find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then - return(AuthDecap_Some(r_2[u_24])) - orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (dh2[ri_21] = exp(pk_S, sk)) && (dh1[ri_21] = exp(pkE_3, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then - return(AuthDecap_Some(r_4[u_21])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_18, u_19]) - orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_14, u_15]) - orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then - return(r_4[u_11]) - else - r_4 <-R eae_output_t; - return(r_4) - else - find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_5[u]) - else - r_5 <-R eae_output_t; - return(r_5) - )) - -Initial state -Game 42 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - {18} let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (skS_1: Z_t <- sk_1; {22}let (skE_1: Z_t, pkE_7: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_6: bitstring <- Serialize(pkE_7); pkS_3: G_t <- exp(g, skS_1); kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); zz_7: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2))); AuthEncap_tuple(zz_7, enc_6) else AuthEncap_None) in - return(AuthEncap_tuple(k, ce)) - else - return(AuthEncap_None) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(sk_1[i1_2], pk_R_1[ie1, i1_2], k[ie1, i1_2], ce[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && ((exponent_16: Z_t <- sk_1[i1_2]; exp(g, exponent_16)) = pk_S_1) && (ce[ie1, i1_2] = cd) then - return(AuthDecap_Some(k[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser, i1_1 = i1_4 <= N suchthat defined(sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4]) && (exp(g, sk_1) = (exponent_17: Z_t <- sk_1[i1_4]; exp(g, exponent_17))) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd) then - return(AuthDecap_Some(k'[id1_1, i1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = (exponent_15: Z_t <- sk_1[i1]; exp(g, exponent_15))) then - {240} let AuthDecap_Some(k0: eae_output_t) = (skR_1: Z_t <- sk_1; let Serialize(pkE_9: G_t) = cd in dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); pkR_4: G_t <- exp(g, skR_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); zz_9: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4))); AuthDecap_Some(zz_9) else AuthDecap_None) in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - return((skR_1: Z_t <- sk_1; let Serialize(pkE_8: G_t) = cd in dh_8: GG_t <- concatDH(exp(pkE_8, skR_1), exp(pk_S_1, skR_1)); pkR_3: G_t <- exp(g, skR_1); kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); zz_8: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3))); AuthDecap_Some(zz_8) else AuthDecap_None)) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern AuthDecap_Some(k0: eae_output_t) (tuple expanded) at 240 - - Remove else branch of let at 240 - - Simplify pattern (skE_1: Z_t, pkE_7: G_t) (tuple expanded) at 22 - - Remove else branch of let at 22 - - Simplify pattern AuthEncap_tuple(k: eae_output_t, ce: bitstring) (tuple expanded) at 18 - - Remove else branch of let at 18 -yields - -Game 43 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - skS_1: Z_t <- sk_1; - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - skE_1: Z_t <- z_1; - dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, skS_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - ce: bitstring <- enc_6; - k: eae_output_t <- zz_7; - return(AuthEncap_tuple(k, ce)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(sk_1[i1_2], pk_R_1[ie1, i1_2], k[ie1, i1_2], ce[ie1, i1_2]) && (exponent_16: Z_t <- sk_1[i1_2]; ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, exponent_16) = pk_S_1) && (ce[ie1, i1_2] = cd))) then - return(AuthDecap_Some(k[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser, i1_1 = i1_4 <= N suchthat defined(sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4]) && (exponent_17: Z_t <- sk_1[i1_4]; ((exp(g, sk_1) = exp(g, exponent_17)) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd))) then - return(AuthDecap_Some(k'[id1_1, i1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (exponent_15: Z_t <- sk_1[i1]; (pk_S_1 = exp(g, exponent_15))) then - skR_1: Z_t <- sk_1; - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); - pkR_4: G_t <- exp(g, skR_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); - k0: eae_output_t <- zz_9; - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - let AuthDecap_Some(k0: eae_output_t) = AuthDecap_None in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - skR_1: Z_t <- sk_1; - let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, skR_1), exp(pk_S_1, skR_1)); - pkR_3: G_t <- exp(g, skR_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR_1 (definition removed, all usages removed) - - Remove assignments on skR_1 (definition removed, all usages removed) - - Remove assignments on k0 (definition removed, all usages removed) - - Remove assignments on exponent_15 (definition removed, all usages removed) - - Remove assignments on exponent_16 (definition removed, all usages removed) - - Remove assignments on exponent_17 (definition removed, all usages removed) - - Remove assignments on skS_1 (definition removed, all usages removed) - - Remove assignments on skE_1 (definition removed, all usages removed) - - Remove assignments on ce (definition removed, all usages removed) - - Remove assignments on k (definition removed, all usages removed) - - Remove assignments on zz_9 (definition removed, all usages removed) - - Remove assignments on key_4 (definition removed, all usages removed) - - Remove assignments on info_4 (definition removed, all usages removed) - - Remove assignments on dh_9 (definition removed, all usages removed) - - Remove assignments on kemContext_9 (definition removed, all usages removed) - - Remove assignments on pkR_4 (definition removed, all usages removed) -yields - -Game 44 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - {112} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], enc_6[ie1, i1_2], zz_7[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser, i1_1 = i1_4 <= N suchthat defined(sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4]) && (exp(g, sk_1) = exp(g, sk_1[i1_4])) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd) then - return(AuthDecap_Some(k'[id1_1, i1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - let Serialize(pkE_9: G_t) = cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - let AuthDecap_Some(k0: eae_output_t) = AuthDecap_None in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition zz_7[ie1, i1_2], enc_6[ie1, i1_2], zz_7[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] with zz_7[ie1, i1_2], enc_6[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] in find at 112 -yields - -Game 45 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - {112} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], enc_6[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser, i1_1 = i1_4 <= N suchthat defined(sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4]) && {163}((exp(g, sk_1) = exp(g, sk_1[i1_4])) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd)) then - return(AuthDecap_Some(k'[id1_1, i1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - let Serialize(pkE_9: G_t) = cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - {221} let AuthDecap_Some(k0: eae_output_t) = AuthDecap_None in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify [probability N * N * PCollKey] - - Simplification pass - - Remove let at 221 - - Replaced ((exp(g, sk_1) = exp(g, sk_1[i1_4])) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd)) with ((i_1 = i1_4) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd)) at 163 - - In branch 2 of find at 112, substituting i1_1 with i_1 - - Replaced defined condition sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4] with k'[id1], cd[id1], pk_S_1[id1] in find at 112 -yields - -Game 46 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], enc_6[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && {162}((i_1 = i_1) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) then - i1_1 <= N <- i_1; - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - let Serialize(pkE_9: G_t) = cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify - - Simplification pass - - Replaced ((i_1 = i_1) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) with ((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) at 162 -yields - -Game 47 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - {112} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], enc_6[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd) then - i1_1 <= N <- i_1; - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - let Serialize(pkE_9: G_t) = cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying insert instruction let Serialize(pkE_10) = cd in at occurrence 112 -yields - -Game 48 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], enc_6[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd) then - i1_1 <= N <- i_1; - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - let Serialize(pkE_9: G_t) = cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - else - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], enc_6[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd) then - i1_1 <= N <- i_1; - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - let Serialize(pkE_9: G_t) = cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on i1_1 (definition removed, all usages removed) - - Remove assignments on i1_1 (definition removed, all usages removed) -yields - -Game 49 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - {116} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], enc_6[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {124}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd)) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && {166}((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - {200} let Serialize(pkE_9: G_t) = {201}cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - {216} let Serialize(pkE_8: G_t) = {217}cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - else - {296} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], enc_6[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {304}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd)) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && {346}((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - {380} let Serialize(pkE_9: G_t) = cd in - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - return(AuthDecap_None) - else - {396} let Serialize(pkE_8: G_t) = cd in - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify - - Simplification pass - - Remove let at 396 - - Remove let at 380 - - Replaced ((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) with false at 346 - - Remove branch 2 in find at 296 - - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd)) with false at 304 - - Remove branch 1 in find at 296 - - Find at 296 removed (else branch kept if any) - - Replaced cd with Serialize(pkE_10) at 217 - - Remove else branch of let at 216 - - Simplify pattern Serialize(pkE_8: G_t) (tuple expanded) at 216 - - Replaced cd with Serialize(pkE_10) at 201 - - Remove else branch of let at 200 - - Simplify pattern Serialize(pkE_9: G_t) (tuple expanded) at 200 - - Replaced ((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) with ((pk_S_1[id1] = pk_S_1) && (pkE_9[id1] = pkE_10)) at 166 - - Replaced defined condition k'[id1], cd[id1], pk_S_1[id1] with k'[id1], pkE_9[id1], pk_S_1[id1] in find at 116 - - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd)) with ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) at 124 - - Replaced defined condition zz_7[ie1, i1_2], enc_6[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] with zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] in find at 116 -yields - -Game 50 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_9[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_9[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - pkE_9: G_t <- pkE_10; - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - pkE_8: G_t <- pkE_10; - dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - return(AuthDecap_None) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on pkE_8 (definition removed, all usages removed) - - Remove assignments on pkE_9 (definition removed, all usages removed) -yields - -Game 51 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - {282} find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - return(AuthDecap_None) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying merge branches - - Merge all branches of find at 282 -yields - -Game 52 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - {18} z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying insert instruction find i1 <= N suchthat - defined(sk_1[i1]) - && pk_R_1 = exp(g, sk_1[i1]) then at occurrence 18 -yields - -Game 53 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - else - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename z_1 - - Rename variable z_1 into z_5, z_4 -yields - -Game 54 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_7: GG_t <- {36}concatDH(exp(pk_R_1, z_4), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - {216} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition pkE_10[id1], k'[id1], k'[id1], pk_S_1[id1] with k'[id1], pkE_10[id1], pk_S_1[id1] in find at 216 - - Replaced concatDH(exp(pk_R_1, z_4), exp(pk_R_1, sk_1)) with concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))) at 36 -yields - -Game 55 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_7: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename dh_7 - - Rename variable dh_7 into dh_16, dh_15 -yields - -Game 56 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename enc_6 - - Rename variable enc_6 into enc_10, enc_9 -yields - -Game 57 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename kemContext_7 - - Rename variable kemContext_7 into kemContext_15, kemContext_14 -yields - -Game 58 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename key_2 - - Rename variable key_2 into key_10, key_9 -yields - -Game 59 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_2)); - return(AuthEncap_tuple(zz_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_2)); - return(AuthEncap_tuple(zz_7, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename info_2 - - Rename variable info_2 into info_10, info_9 -yields - -Game 60 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); - return(AuthEncap_tuple(zz_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); - return(AuthEncap_tuple(zz_7, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying SA rename zz_7 - - Rename variable zz_7 into zz_17, zz_16 -yields - -Game 61 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_16: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); - return(AuthEncap_tuple(zz_16, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_17: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); - return(AuthEncap_tuple(zz_17, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - {222} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {230}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_17[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {273}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) then - return(AuthDecap_Some(zz_17[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying simplify [probability (N * N + #OAEncap * N) * PCollKey] - - Simplification pass - - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) with false at 273 - - Remove branch 2 in find at 222 - - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) with ((i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) at 230 - - Replaced defined condition zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] with zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2] in find at 222 -yields - -Game 62 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_16: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); - return(AuthEncap_tuple(zz_16, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_17: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); - return(AuthEncap_tuple(zz_17, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - {399} return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying insert instruction let eae_input( - salt: extract_salt_t, - concatExtract( - protocol1: label_protocol_t, - suite1: suite_id_t, - label1: label_extract_t, - concatDH(dh1: G_t, dh2: G_t)), - concatExpand(l: two_byte_t, - protocol2: label_protocol_t, - suite2: suite_id_t, - label2: label_expand_t, - concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in at occurrence 399 -yields - -Game 63 is - Ostart() := - key_extr_10 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_16: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); - return(AuthEncap_tuple(zz_16, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_17: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); - return(AuthEncap_tuple(zz_17, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - else - return(ExtractAndExpand_inner(key_extr_10, x1_1)) - )) - - -Applying equivalence rom(ExtractAndExpand_inner) - - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_10 -> hk -yields - -Game 64 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_16: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); {104}find [unique] u_98 = ri_98 <= Qeperuser, u_99 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && (x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_98, u_99] orfind u_96 = ri_96 <= Qeperuser, u_97 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_96, u_97] orfind u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_94, u_95] orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_93] orfind u_92 = ri_92 <= Qh suchthat defined(x_O_10[ri_92], r_10[ri_92]) && {173}(x_O_7 = x_O_10[ri_92]) then r_10[u_92] else r_7 <-R eae_output_t; r_7); - return(AuthEncap_tuple(zz_16, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_17: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); {276}find [unique] u_90 = ri_90 <= Qeperuser, u_91 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_90, u_91] orfind u_88 = ri_88 <= Qeperuser, u_89 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && (x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_88, u_89] orfind u_86 = ri_86 <= Qdperuser, u_87 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_86, u_87] orfind u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_85] orfind u_84 = ri_84 <= Qh suchthat defined(x_O_10[ri_84], r_10[ri_84]) && {345}(x_O_6 = x_O_10[ri_84]) then r_10[u_84] else r_6 <-R eae_output_t; r_6); - return(AuthEncap_tuple(zz_17, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); {532}find [unique] u_82 = ri_82 <= Qeperuser, u_83 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_82, u_83] orfind u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_80, u_81] orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_78, u_79] orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_77] orfind u_76 = ri_76 <= Qh suchthat defined(x_O_10[ri_76], r_10[ri_76]) && {601}(x_O_8 = x_O_10[ri_76]) then r_10[u_76] else r_8 <-R eae_output_t; r_8); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return((x_O_9: eae_input_t <- x1_1; {652}find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_74, u_75] orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_72, u_73] orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_70, u_71] orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_69] orfind u_68 = ri_68 <= Qh suchthat defined(x_O_10[ri_68], r_10[ri_68]) && {710}(x_O_9 = x_O_10[ri_68]) then r_10[u_68] else r_9 <-R eae_output_t; r_9)) - else - return((x_O_10: eae_input_t <- x1_1; {727}find [unique] u_66 = ri_66 <= Qeperuser, u_67 = ri_67 <= N suchthat defined(x_O_6[ri_66, ri_67], r_6[ri_66, ri_67]) && {732}(x_O_10 = x_O_6[ri_66, ri_67]) then r_6[u_66, u_67] orfind u_64 = ri_64 <= Qeperuser, u_65 = ri_65 <= N suchthat defined(x_O_7[ri_64, ri_65], r_7[ri_64, ri_65]) && {747}(x_O_10 = x_O_7[ri_64, ri_65]) then r_7[u_64, u_65] orfind u_62 = ri_62 <= Qdperuser, u_63 = ri_63 <= N suchthat defined(x_O_8[ri_62, ri_63], r_8[ri_62, ri_63]) && {762}(x_O_10 = x_O_8[ri_62, ri_63]) then r_8[u_62, u_63] orfind u_61 = ri_61 <= Qh suchthat defined(x_O_9[ri_61], r_9[ri_61]) && {775}(x_O_10 = x_O_9[ri_61]) then r_9[u_61] orfind u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_60] else r_10 <-R eae_output_t; r_10)) - )) - - -Applying simplify (non-expanded game) [probability N * N * PCollKey] - - Simplification pass - - Replaced (x_O_7 = x_O_10[ri_92]) with false at 173 - - Remove branch 5 in find at 104 - - Replaced (x_O_6 = x_O_10[ri_84]) with false at 345 - - Remove branch 5 in find at 276 - - Replaced (x_O_8 = x_O_10[ri_76]) with false at 601 - - Remove branch 5 in find at 532 - - Replaced (x_O_9 = x_O_10[ri_68]) with false at 710 - - Remove branch 5 in find at 652 - - Replaced (x_O_10 = x_O_9[ri_61]) with false at 775 - - Remove branch 4 in find at 727 - - Replaced (x_O_10 = x_O_8[ri_62, ri_63]) with false at 762 - - Remove branch 3 in find at 727 - - Replaced (x_O_10 = x_O_7[ri_64, ri_65]) with false at 747 - - Remove branch 2 in find at 727 - - Replaced (x_O_10 = x_O_6[ri_66, ri_67]) with false at 732 - - Remove branch 1 in find at 727 -yields - -Game 65 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - zz_16: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); {104}find [unique] u_98 = ri_98 <= Qeperuser, u_99 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && (x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_98, u_99] orfind u_96 = ri_96 <= Qeperuser, u_97 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_96, u_97] orfind u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_94, u_95] orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_93] else r_7 <-R eae_output_t; r_7); - return(AuthEncap_tuple(zz_16, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - zz_17: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); {264}find [unique] u_90 = ri_90 <= Qeperuser, u_91 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_90, u_91] orfind u_88 = ri_88 <= Qeperuser, u_89 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && (x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_88, u_89] orfind u_86 = ri_86 <= Qdperuser, u_87 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_86, u_87] orfind u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_85] else r_6 <-R eae_output_t; r_6); - return(AuthEncap_tuple(zz_17, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); {508}find [unique] u_82 = ri_82 <= Qeperuser, u_83 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_82, u_83] orfind u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_80, u_81] orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_78, u_79] orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_77] else r_8 <-R eae_output_t; r_8); - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return((x_O_9: eae_input_t <- x1_1; find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_74, u_75] orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_72, u_73] orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_70, u_71] orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_69] else r_9 <-R eae_output_t; r_9)) - else - return((x_O_10: eae_input_t <- x1_1; find [unique] u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_60] else r_10 <-R eae_output_t; r_10)) - )) - - -Applying expand [probability (4 * #OAEncap * Qeperuser + #OAEncap * N + N * N + #OADecap * N) * PCollKey] - - Expand if/find/let - - Remove branch 2 in find at 508 - - Remove branch 1 in find at 508 - - Remove branch 3 in find at 264 - - Remove branch 2 in find at 264 - - Remove branch 1 in find at 264 - - Remove branch 3 in find at 104 - - Remove branch 2 in find at 104 - - Remove branch 1 in find at 104 -yields - -Game 66 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); - find [unique] u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(zz_16, enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(zz_16, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); - find [unique] u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then - zz_17: eae_output_t <- r_9[u_85]; - return(AuthEncap_tuple(zz_17, enc_10)) - else - r_6 <-R eae_output_t; - zz_17: eae_output_t <- r_6; - return(AuthEncap_tuple(zz_17, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); - find [unique] u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then - zz_8: eae_output_t <- r_8[u_78, u_79]; - return(AuthDecap_Some(zz_8)) - orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then - zz_8: eae_output_t <- r_9[u_77]; - return(AuthDecap_Some(zz_8)) - else - r_8 <-R eae_output_t; - zz_8: eae_output_t <- r_8; - return(AuthDecap_Some(zz_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- x1_1; - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- x1_1; - find [unique] u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_O_10 (definition point kept, all usages removed) - - Remove assignments on x_O_9 (definition point kept, all usages removed) - - Remove assignments on zz_8 (definition removed, all usages removed) - - Remove assignments on zz_8 (definition removed, all usages removed) - - Remove assignments on zz_8 (definition removed, all usages removed) - - Remove assignments on zz_17 (definition removed, all usages removed) - - Remove assignments on zz_17 (definition removed, all usages removed) - - Remove assignments on zz_16 (definition kept, array references kept) - - Remove assignments on zz_16 (definition kept, array references kept) -yields - -Game 67 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); - {103} find [unique] u_93 = ri_93 <= Qh suchthat defined(x1_1[ri_93], x_O_9[ri_93], r_9[ri_93]) && {107}(x_O_7 = x1_1[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(r_9[u_93], enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); - {224} find [unique] u_85 = ri_85 <= Qh suchthat defined(x1_1[ri_85], x_O_9[ri_85], r_9[ri_85]) && {228}(x_O_6 = x1_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); - {418} find [unique] u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && {423}(x_O_8 = x_O_8[ri_78, ri_79]) then - return(AuthDecap_Some(r_8[u_78, u_79])) - orfind u_77 = ri_77 <= Qh suchthat defined(x1_1[ri_77], x_O_9[ri_77], r_9[ri_77]) && {444}(x_O_8 = x1_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- cst_eae_input_t; - {493} find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && {498}(x1_1 = x_O_6[ri_74, ri_75]) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && {516}(x1_1 = x_O_7[ri_72, ri_73]) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && {534}(x1_1 = x_O_8[ri_70, ri_71]) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(x1_1[ri_69], x_O_9[ri_69], r_9[ri_69]) && {551}(x1_1 = x1_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- cst_eae_input_t; - {571} find [unique] u_60 = ri_60 <= Qh suchthat defined(x1_1[ri_60], x_O_10[ri_60], r_10[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying simplify [probability (2 * N * N + #OADecap * N) * PCollKey] - - Simplification pass - - Replaced defined condition x1_1[ri_60], x_O_10[ri_60], r_10[ri_60] with r_10[ri_60], x1_1[ri_60] in find at 571 - - Replaced (x1_1 = x1_1[ri_69]) with ((pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69])) at 551 - - Replaced defined condition x1_1[ri_69], x_O_9[ri_69], r_9[ri_69] with r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69] in find at 493 - - Replaced (x1_1 = x_O_8[ri_70, ri_71]) with ((pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 534 - - Replaced defined condition x_O_8[ri_70, ri_71], r_8[ri_70, ri_71] with r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71] in find at 493 - - Replaced (x1_1 = x_O_7[ri_72, ri_73]) with ((pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 516 - - Replaced defined condition x_O_7[ri_72, ri_73], r_7[ri_72, ri_73] with r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73] in find at 493 - - Replaced (x1_1 = x_O_6[ri_74, ri_75]) with ((pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 498 - - Replaced defined condition x_O_6[ri_74, ri_75], r_6[ri_74, ri_75] with r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75] in find at 493 - - Replaced (x_O_8 = x1_1[ri_77]) with ((pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77])) at 444 - - Replaced defined condition x1_1[ri_77], x_O_9[ri_77], r_9[ri_77] with r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77] in find at 418 - - Replaced (x_O_8 = x_O_8[ri_78, ri_79]) with ((pk_S_1 = pk_S_1[ri_78, ri_79]) && (i_1 = ri_79) && (pkE_10 = pkE_10[ri_78, ri_79])) at 423 - - In branch 1 of find at 418, substituting u_79 with i_1 - - Replaced defined condition x_O_8[ri_78, ri_79], r_8[ri_78, ri_79] with r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78] in find at 418 - - Replaced (x_O_6 = x1_1[ri_85]) with ((pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85])) at 228 - - Replaced defined condition x1_1[ri_85], x_O_9[ri_85], r_9[ri_85] with r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85] in find at 224 - - Replaced (x_O_7 = x1_1[ri_93]) with ((pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93])) at 107 - - Replaced defined condition x1_1[ri_93], x_O_9[ri_93], r_9[ri_93] with r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93] in find at 103 -yields - -Game 68 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(r_9[u_93], enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && {605}((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_10 = pkE_10[ri_78])) then - u_79 <= N <- i_1; - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- cst_eae_input_t; - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- cst_eae_input_t; - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying simplify - - Simplification pass - - Replaced ((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_10 = pkE_10[ri_78])) with ((pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78])) at 605 -yields - -Game 69 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); - info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); - x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(r_9[u_93], enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); - key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); - info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - u_79 <= N <- i_1; - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_9: eae_input_t <- cst_eae_input_t; - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - x_O_10: eae_input_t <- cst_eae_input_t; - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying move all binders - - Move assignment to x_O_10 - - Move assignment to x_O_9 - - Move assignment to x_O_8 - - Move assignment to info_3 - - Move assignment to key_3 - - Move assignment to kemContext_8 - - Move assignment to x_O_6 - - Move assignment to info_10 - - Move assignment to key_10 - - Move assignment to kemContext_15 - - Move assignment to x_O_7 - - Move assignment to info_9 - - Move assignment to key_9 - - Move assignment to kemContext_14 -yields - -Game 70 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(r_9[u_93], enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); - pkR_3: G_t <- exp(g, sk_1); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - u_79 <= N <- i_1; - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying remove assignments of findcond - - Remove assignments on dh_8 (definition removed, all usages removed) - - Remove assignments on u_79 (definition removed, all usages removed) - - Remove assignments on dh_16 (definition removed, all usages removed) - - Remove assignments on dh_15 (definition removed, all usages removed) -yields - -Game 71 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(r_9[u_93], enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - pkR_3: G_t <- exp(g, sk_1); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying equivalence gdh(exp) [probability Adv_sqGDH(time(context for game 71) + time + (1 + #OAEncap + N) * time(exp), 2 * Qh * Qdperuser + 3 * Qh * N + N * #OAEncap + N * #OADecap) + (#OAEncap + N) * PDistRerandom + (2 * #OAEncap * Qeperuser + N * N) * PCollKey] - - Equivalence gdh(exp) with variables: sk_1 -> a, z_4 -> a -yields - -Game 72 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (m_28: G_t <- pk_R_1; m'_19: G_t <- g; (m_28 = exp(m'_19, sk_1[i1_13]))) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - {54} find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (m_29: G_t <- dh2_1[ri_93]; false) && (m_17: G_t <- dh1_1[ri_93]; false) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then - zz_16: eae_output_t <- r_9[u_93]; - return(AuthEncap_tuple(r_9[u_93], enc_9)) - else - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (m_27: G_t <- dh2_1[ri_85]; m'_18: G_t <- pk_R_1; (m_27 = exp(m'_18, sk_1))) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (m_21: G_t <- pk_S_1; m'_14: G_t <- g; (m_21 = exp(m'_14, sk_1[i1_2]))) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (m_20: G_t <- pk_S_1; m'_13: G_t <- g; (m_20 = exp(m'_13, sk_1[i1]))) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - pkR_3: G_t <- exp(g, sk_1); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (m_19: G_t <- dh2_1[ri_77]; m'_12: G_t <- pk_S_1; (m_19 = exp(m'_12, sk_1))) && (m_18: G_t <- dh1_1[ri_77]; m'_11: G_t <- pkE_10; (m_18 = exp(m'_11, sk_1))) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - {631} find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_22: G_t <- dh2_1; m'_15: G_t <- pk_R_1[ri_74, ri_75]; (m_22 = exp(m'_15, sk_1[ri_75]))) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_24: G_t <- dh2_1; false) && (m_23: G_t <- dh1_1; false) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_7[u_72, u_73]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_26: G_t <- dh2_1; m'_17: G_t <- pk_S_1[ri_70, ri_71]; (m_26 = exp(m'_17, sk_1[ri_71]))) && (m_25: G_t <- dh1_1; m'_16: G_t <- pkE_10[ri_70, ri_71]; (m_25 = exp(m'_16, sk_1[ri_71]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying expand - - Expand if/find/let - - Remove branch 2 in find at 631 - - Remove branch 1 in find at 54 - - Find at 54 removed (else branch kept if any) -yields - -Game 73 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (m_28: G_t <- pk_R_1; m'_19: G_t <- g; (m_28 = exp(m'_19, sk_1[i1_13]))) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - r_7 <-R eae_output_t; - zz_16: eae_output_t <- r_7; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (m_27: G_t <- dh2_1[ri_85]; m'_18: G_t <- pk_R_1; ((pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (m_27 = exp(m'_18, sk_1)) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]))) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (m_21: G_t <- pk_S_1; m'_14: G_t <- g; ((i_1 = i1_12[ie1, i1_2]) && (m_21 = exp(m'_14, sk_1[i1_2])) && (pkE_7[ie1, i1_2] = pkE_10))) then - return(AuthDecap_Some(zz_16[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (m_20: G_t <- pk_S_1; m'_13: G_t <- g; (m_20 = exp(m'_13, sk_1[i1]))) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - pkR_3: G_t <- exp(g, sk_1); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (m_19: G_t <- dh2_1[ri_77]; m'_12: G_t <- pk_S_1; m_18: G_t <- dh1_1[ri_77]; m'_11: G_t <- pkE_10; ((pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (m_19 = exp(m'_12, sk_1)) && (m_18 = exp(m'_11, sk_1)) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]))) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (m_22: G_t <- dh2_1; m'_15: G_t <- pk_R_1[ri_74, ri_75]; ((pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_22 = exp(m'_15, sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty))) then - return(r_6[u_74, u_75]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (m_26: G_t <- dh2_1; m'_17: G_t <- pk_S_1[ri_70, ri_71]; m_25: G_t <- dh1_1; m'_16: G_t <- pkE_10[ri_70, ri_71]; ((pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_26 = exp(m'_17, sk_1[ri_71])) && (m_25 = exp(m'_16, sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty))) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying remove assignments of findcond - - Remove assignments on m_22 (definition removed, all usages removed) - - Remove assignments on m'_15 (definition removed, all usages removed) - - Remove assignments on m_26 (definition removed, all usages removed) - - Remove assignments on m'_17 (definition removed, all usages removed) - - Remove assignments on m_25 (definition removed, all usages removed) - - Remove assignments on m'_16 (definition removed, all usages removed) - - Remove assignments on m_19 (definition removed, all usages removed) - - Remove assignments on m'_12 (definition removed, all usages removed) - - Remove assignments on m_18 (definition removed, all usages removed) - - Remove assignments on m'_11 (definition removed, all usages removed) - - Remove assignments on m_20 (definition removed, all usages removed) - - Remove assignments on m'_13 (definition removed, all usages removed) - - Remove assignments on m_21 (definition removed, all usages removed) - - Remove assignments on m'_14 (definition removed, all usages removed) - - Remove assignments on m_27 (definition removed, all usages removed) - - Remove assignments on m'_18 (definition removed, all usages removed) - - Remove assignments on zz_16 (definition removed, all usages removed) - - Remove assignments on m_28 (definition removed, all usages removed) - - Remove assignments on m'_19 (definition removed, all usages removed) -yields - -Game 74 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (dh2_1[ri_85] = exp(pk_R_1, sk_1)) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - {205} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(r_7[ie1, i1_2], r_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (pk_S_1 = exp(g, sk_1[i1_2])) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(r_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - pkR_3: G_t <- exp(g, sk_1); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (dh2_1[ri_77] = exp(pk_S_1, sk_1)) && (dh1_1[ri_77] = exp(pkE_10, sk_1)) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition r_7[ie1, i1_2], r_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2] with r_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2] in find at 205 -yields - -Game 75 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then - z_4 <-R Z_t; - pkE_7: G_t <- exp(g, z_4); - enc_9: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - r_7 <-R eae_output_t; - return(AuthEncap_tuple(r_7, enc_9)) - else - z_5 <-R Z_t; - pkE_7: G_t <- exp(g, z_5); - enc_10: bitstring <- Serialize(pkE_7); - pkS_3: G_t <- exp(g, sk_1); - find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (dh2_1[ri_85] = exp(pk_R_1, sk_1)) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then - return(AuthEncap_tuple(r_9[u_85], enc_10)) - else - r_6 <-R eae_output_t; - return(AuthEncap_tuple(r_6, enc_10)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - let Serialize(pkE_10: G_t) = cd in - find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(r_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (pk_S_1 = exp(g, sk_1[i1_2])) && (pkE_7[ie1, i1_2] = pkE_10) then - return(AuthDecap_Some(r_7[ie1_1, i1_1])) - orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_10[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then - return(AuthDecap_Some(k'[id1_1])) - else - find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then - k' <-R eae_output_t; - return(AuthDecap_Some(k')) - else - pkR_3: G_t <- exp(g, sk_1); - find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then - return(AuthDecap_Some(r_8[u_78])) - orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (dh2_1[ri_77] = exp(pk_S_1, sk_1)) && (dh1_1[ri_77] = exp(pkE_10, sk_1)) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then - return(AuthDecap_Some(r_9[u_77])) - else - r_8 <-R eae_output_t; - return(AuthDecap_Some(r_8)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_74, u_75]) - orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_8[u_70, u_71]) - orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then - return(r_9[u_69]) - else - r_9 <-R eae_output_t; - return(r_9) - else - find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then - return(r_10[u_60]) - else - r_10 <-R eae_output_t; - return(r_10) - )) - - -Proved indistinguishability between game 75 and game 1 -Game 75 is the same as game 41. -Adv[Game 1: indistinguishability from game 41] <= Adv_sqGDH(time_1, 4 * Qh * Qdperuser + 3 * Qh * N + N * #OAEncap + N * #OADecap) + (N + #OAEncap) * PDistRerandom + (#OAEncap * Qdperuser + 2 * #OADecap * N + 6 * #OAEncap * Qeperuser + 2 * #OAEncap * N + 13 * N * N) * PCollKey + Adv[Game 41: indistinguishability from game 41] -Adv[Game 41: indistinguishability from game 41] <= 0 -Adv[Game 42: indistinguishability from game 75] <= Adv_sqGDH(time_2, 2 * Qh * Qdperuser + 3 * Qh * N + N * #OAEncap + N * #OADecap) + (N + #OAEncap) * PDistRerandom + (2 * #OADecap * N + 6 * #OAEncap * Qeperuser + 2 * #OAEncap * N + 7 * N * N) * PCollKey + Adv[Game 75: indistinguishability from game 75] -Adv[Game 75: indistinguishability from game 75] <= 0 -RESULT Proved indistinguishability between game 42 and game 1 up to probability Adv_sqGDH(time_2, 2 * Qh * Qdperuser + 3 * Qh * N + N * #OAEncap + N * #OADecap) + Adv_sqGDH(time_1, 4 * Qh * Qdperuser + 3 * Qh * N + N * #OAEncap + N * #OADecap) + (2 * N + 2 * #OAEncap) * PDistRerandom + (#OAEncap * Qdperuser + 4 * #OADecap * N + 12 * #OAEncap * Qeperuser + 4 * #OAEncap * N + 20 * N * N) * PCollKey -RESULT time_1 = time(context for game 37) + time + (1 + #OAEncap + N) * time(exp) -RESULT time_2 = time(context for game 71) + time + (1 + #OAEncap + N) * time(exp) -RESULT time(context for game 37) = #OAEncap * time(AuthEncap_tuple, maxlength(game 37: enc_7)) + (#OAEncap + 2 * Qh * #OAEncap) * time(exp) + #OAEncap * time(Serialize) + #OAEncap * time(AuthEncap_tuple, maxlength(game 37: enc_8)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (3 * Qh * #OAEncap + 3 * Qh * #OADecap) * time(I2OSP2) -RESULT time(context for game 71) = #OAEncap * time(AuthEncap_tuple, maxlength(game 71: enc_9)) + (#OAEncap + 2 * Qh * #OAEncap) * time(exp) + #OAEncap * time(Serialize) + #OAEncap * time(AuthEncap_tuple, maxlength(game 71: enc_10)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (3 * Qh * #OAEncap + 2 * Qh * #OADecap) * time(I2OSP2) -All queries proved. +Initial state +Game 1 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + return((skS: Z_t <- sk; {23}let (skE: Z_t, pkE_2: G_t) = (z <-R Z_t; (z, exp(g, z))) in dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); enc_1: bitstring <- Serialize(pkE_2); pkS: G_t <- exp(g, skS); kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); zz_2: eae_output_t <- (key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info))); AuthEncap_tuple(zz_2, enc_1) else AuthEncap_None)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + return((skR: Z_t <- sk; let Serialize(pkE_3: G_t) = enc_2 in dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); pkR_1: G_t <- exp(g, skR); kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); zz_3: eae_output_t <- (key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1))); AuthDecap_Some(zz_3) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern (skE: Z_t, pkE_2: G_t) (tuple expanded) at 23 + - Remove else branch of let at 23 +yields + +Game 2 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + skS: Z_t <- sk; + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + skE: Z_t <- z; + dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, skS); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + skR: Z_t <- sk; + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); + pkR_1: G_t <- exp(g, skR); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR (definition removed, all usages removed) + - Remove assignments on skS (definition removed, all usages removed) + - Remove assignments on skE (definition removed, all usages removed) +yields + +Game 3 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + {116} dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying insert instruction find ie1_1 = ie1 <= Qeperuser, i1_3 = i1_2 <= N suchthat + defined(zz_2[ie1, i1_2], enc_1[ie1, i1_2], sk[i1_2], pk_R[ie1, i1_2]) + && (exp(g, sk) = pk_R[ie1, i1_2]) + && (exp(g, sk[i1_2]) = pk_S) + && (enc_1[ie1, i1_2] = enc_2) then + orfind id1_1 = id1 <= Qdperuser suchthat + defined(random_br[id1], zz_3[id1], enc_2[id1], pk_S[id1]) + && (pk_S[id1] = pk_S) + && (enc_2[id1] = enc_2) then + else + find i1_1 = i1 <= N suchthat + defined(sk[i1]) + && (pk_S = exp(g, sk[i1])) then + random_br <- true at occurrence 116 +yields + +Game 4 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + {116} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], enc_1[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && {124}((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (enc_1[ie1_3, i1_9] = enc_2)) then + dh_3: GG_t <- {150}concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(random_br[id1_3], zz_3[id1_3], enc_2[id1_3], pk_S[id1_3]) && {229}((pk_S[id1_3] = pk_S) && (enc_2[id1_3] = enc_2)) then + dh_3: GG_t <- {245}concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + random_br: bool <- true; + dh_3: GG_t <- {329}concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced concatDH(exp(pkE_3, sk), exp(pk_S, sk)) with concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))) at 329 + - Replaced ((pk_S[id1_3] = pk_S) && (enc_2[id1_3] = enc_2)) with ((pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3)) at 229 + - Replaced concatDH(exp(pkE_3, sk), exp(pk_S, sk)) with concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))) at 245 + - Replaced defined condition random_br[id1_3], zz_3[id1_3], enc_2[id1_3], pk_S[id1_3] with random_br[id1_3], zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3] in find at 116 + - Replaced ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (enc_1[ie1_3, i1_9] = enc_2)) with ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) at 124 + - Replaced concatDH(exp(pkE_3, sk), exp(pk_S, sk)) with concatDH(exp(g, mult(z[ie1_2, i1_8], sk)), exp(g, mult(sk[i1_8], sk))) at 150 + - Replaced defined condition zz_2[ie1_3, i1_9], enc_1[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] with zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] in find at 116 +yields + +Game 5 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + dh_3: GG_t <- concatDH(exp(g, mult(z[ie1_2, i1_8], sk)), exp(g, mult(sk[i1_8], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some({222}zz_3)) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(random_br[id1_3], zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + random_br: bool <- true; + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying replace term at occurrence 222 with zz_2[ie1_2, i1_8] +yields + +Game 6 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + dh_3: GG_t <- concatDH(exp(g, mult(z[ie1_2, i1_8], sk)), exp(g, mult(sk[i1_8], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(random_br[id1_3], zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + random_br: bool <- true; + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of useless + - Remove assignments on random_br (definition point kept, all usages removed) + - Remove assignments on zz_3 (definition point kept, all usages removed) + - Remove assignments on key_1 (definition removed, all usages removed) + - Remove assignments on info_1 (definition removed, all usages removed) + - Remove assignments on dh_3 (definition removed, all usages removed) + - Remove assignments on kemContext_3 (definition removed, all usages removed) + - Remove assignments on pkR_1 (definition removed, all usages removed) +yields + +Game 7 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + zz_3: eae_output_t <- cst_eae_output_t; + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(random_br[id1_3], zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some({258}zz_3)) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + random_br: bool <- cst_bool; + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying replace term at occurrence 258 with zz_3[id1_2] +yields + +Game 8 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + zz_3: eae_output_t <- cst_eae_output_t; + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_3[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + random_br: bool <- cst_bool; + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename zz_3 + - Rename variable zz_3 into zz_13, zz_12, zz_11, zz_10 +yields + +Game 9 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + zz_10: eae_output_t <- cst_eae_output_t; + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_10[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_10[id1_2])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_11[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_11[id1_2])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12[id1_2])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_13[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + random_br: bool <- cst_bool; + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on random_br (definition removed, all usages removed) +yields + +Game 10 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + {116} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + zz_10: eae_output_t <- cst_eae_output_t; + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_10[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_10[id1_2])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_11[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_11[id1_2])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12[id1_2])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_13[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify + - Simplification pass + - Remove branch 5 in find at 116 + - Remove branch 3 in find at 116 + - Remove branch 2 in find at 116 + - Replaced defined condition zz_2[ie1_3, i1_9], z[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] with zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] in find at 116 +yields + +Game 11 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + zz_10: eae_output_t <- cst_eae_output_t; + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename dh_3 + - Rename variable dh_3 into dh_12, dh_11, dh_10 +yields + +Game 12 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + zz_10: eae_output_t <- cst_eae_output_t; + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + dh_10: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6[id1_2]], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on zz_10 (definition removed, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on key_1 (definition removed, all usages removed) + - Remove assignments on info_1 (definition removed, all usages removed) + - Remove assignments on dh_10 (definition removed, all usages removed) + - Remove assignments on kemContext_3 (definition removed, all usages removed) + - Remove assignments on pkR_1 (definition removed, all usages removed) +yields + +Game 13 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + {116} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced defined condition zz_12[id1_3], sk[i1_6[id1_3]], pkE_3[id1_3], pk_S[id1_3] with zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3] in find at 116 +yields + +Game 14 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename kemContext_3 + - Rename variable kemContext_3 into kemContext_11, kemContext_10 +yields + +Game 15 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename key_1 + - Rename variable key_1 into key_6, key_5 +yields + +Game 16 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_1)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_1)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename info_1 + - Rename variable info_1 into info_6, info_5 +yields + +Game 17 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + {18} z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying insert instruction find i1 <= N suchthat + defined(sk[i1]) + && pk_R = exp(g, sk[i1]) then at occurrence 18 +yields + +Game 18 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + else + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename z + - Rename variable z into z_3, z_2 +yields + +Game 19 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_2: GG_t <- {36}concatDH(exp(pk_R, z_2), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_2: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced concatDH(exp(pk_R, z_2), exp(pk_R, sk)) with concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))) at 36 +yields + +Game 20 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_2: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename enc_1 + - Rename variable enc_1 into enc_8, enc_7 +yields + +Game 21 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_2: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename dh_2 + - Rename variable dh_2 into dh_14, dh_13 +yields + +Game 22 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_2[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_2[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename zz_2 + - Rename variable zz_2 into zz_15, zz_14 +yields + +Game 23 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + {222} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && {230}((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_15[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && {273}((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) then + return(AuthDecap_Some(zz_15[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify [probability (N^2 + #OAEncap * N) * PCollKey] + - Simplification pass + - Replaced ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) with false at 273 + - Remove branch 2 in find at 222 + - Replaced ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) with ((i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3)) at 230 + - Replaced defined condition zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] with zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9] in find at 222 +yields + +Game 24 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename kemContext_2 + - Rename variable kemContext_2 into kemContext_13, kemContext_12 +yields + +Game 25 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename key + - Rename variable key into key_8, key_7 +yields + +Game 26 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename info + - Rename variable info into info_8, info_7 +yields + +Game 27 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info_7)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info_8)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_1: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename pkR_1 + - Rename variable pkR_1 into pkR_6, pkR_5 +yields + +Game 28 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info_7)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info_8)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + {466} return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying insert instruction let eae_input( + salt: extract_salt_t, + concatExtract( + protocol1: label_protocol_t, + suite1: suite_id_t, + label1: label_extract_t, + concatDH(dh1: G_t, dh2: G_t)), + concatExpand( + l: two_byte_t, + protocol2: label_protocol_t, + suite2: suite_id_t, + label2: label_expand_t, + concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in at occurrence 466 +yields + +Game 29 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_7, info_7)); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_8, info_8)); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return(ExtractAndExpand_inner(key_extr_3, x1)) + else + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying equivalence rom(ExtractAndExpand_inner) + - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_3 -> hk +yields + +Game 30 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {104}find [unique] u_58 = ri_58 <= Qeperuser, u_59 = ri_59 <= N suchthat defined(x_O[ri_58, ri_59], r[ri_58, ri_59]) && {109}(x_O_1 = x_O[ri_58, ri_59]) then r[u_58, u_59] orfind u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && (x_O_1 = x_O_1[ri_56, ri_57]) then r_1[u_56, u_57] orfind u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && (x_O_1 = x_O_2[ri_54, ri_55]) then r_2[u_54, u_55] orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O_1 = x_O_3[ri_52, ri_53]) then r_3[u_52, u_53] orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O_1 = x_O_4[ri_51]) then r_4[u_51] orfind u_50 = ri_50 <= Qh suchthat defined(x_O_5[ri_50], r_5[ri_50]) && {191}(x_O_1 = x_O_5[ri_50]) then r_5[u_50] else r_1 <-R eae_output_t; r_1); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); {294}find [unique] u_48 = ri_48 <= Qeperuser, u_49 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && (x_O = x_O[ri_48, ri_49]) then r[u_48, u_49] orfind u_46 = ri_46 <= Qeperuser, u_47 = ri_47 <= N suchthat defined(x_O_1[ri_46, ri_47], r_1[ri_46, ri_47]) && {317}(x_O = x_O_1[ri_46, ri_47]) then r_1[u_46, u_47] orfind u_44 = ri_44 <= Qdperuser, u_45 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O = x_O_2[ri_44, ri_45]) then r_2[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O = x_O_3[ri_42, ri_43]) then r_3[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O = x_O_4[ri_41]) then r_4[u_41] orfind u_40 = ri_40 <= Qh suchthat defined(x_O_5[ri_40], r_5[ri_40]) && {381}(x_O = x_O_5[ri_40]) then r_5[u_40] else r <-R eae_output_t; r); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {563}find [unique] u_38 = ri_38 <= Qeperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && (x_O_3 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_3 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_3 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_3 = x_O_3[ri_32, ri_33]) then r_3[u_32, u_33] orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_3 = x_O_4[ri_31]) then r_4[u_31] orfind u_30 = ri_30 <= Qh suchthat defined(x_O_5[ri_30], r_5[ri_30]) && {650}(x_O_3 = x_O_5[ri_30]) then r_5[u_30] else r_3 <-R eae_output_t; r_3); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {735}find [unique] u_28 = ri_28 <= Qeperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_2 = x_O[ri_28, ri_29]) then r[u_28, u_29] orfind u_26 = ri_26 <= Qeperuser, u_27 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_2 = x_O_1[ri_26, ri_27]) then r_1[u_26, u_27] orfind u_24 = ri_24 <= Qdperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_2 = x_O_2[ri_24, ri_25]) then r_2[u_24, u_25] orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_2 = x_O_3[ri_22, ri_23]) then r_3[u_22, u_23] orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_2 = x_O_4[ri_21]) then r_4[u_21] orfind u_20 = ri_20 <= Qh suchthat defined(x_O_5[ri_20], r_5[ri_20]) && {822}(x_O_2 = x_O_5[ri_20]) then r_5[u_20] else r_2 <-R eae_output_t; r_2); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return((x_O_4: eae_input_t <- x1; {873}find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_18, u_19] orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_16, u_17] orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_14, u_15] orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_12, u_13] orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_11] orfind u_10 = ri_10 <= Qh suchthat defined(x_O_5[ri_10], r_5[ri_10]) && {946}(x_O_4 = x_O_5[ri_10]) then r_5[u_10] else r_4 <-R eae_output_t; r_4)) + else + return((x_O_5: eae_input_t <- x1; {963}find [unique] u_8 = ri_8 <= Qeperuser, u_9 = ri_9 <= N suchthat defined(x_O[ri_8, ri_9], r[ri_8, ri_9]) && {968}(x_O_5 = x_O[ri_8, ri_9]) then r[u_8, u_9] orfind u_6 = ri_6 <= Qeperuser, u_7 = ri_7 <= N suchthat defined(x_O_1[ri_6, ri_7], r_1[ri_6, ri_7]) && {983}(x_O_5 = x_O_1[ri_6, ri_7]) then r_1[u_6, u_7] orfind u_4 = ri_4 <= Qdperuser, u_5 = ri_5 <= N suchthat defined(x_O_2[ri_4, ri_5], r_2[ri_4, ri_5]) && {998}(x_O_5 = x_O_2[ri_4, ri_5]) then r_2[u_4, u_5] orfind u_2 = ri_2 <= Qdperuser, u_3 = ri_3 <= N suchthat defined(x_O_3[ri_2, ri_3], r_3[ri_2, ri_3]) && {1013}(x_O_5 = x_O_3[ri_2, ri_3]) then r_3[u_2, u_3] orfind u_1 = ri_1 <= Qh suchthat defined(x_O_4[ri_1], r_4[ri_1]) && {1026}(x_O_5 = x_O_4[ri_1]) then r_4[u_1] orfind u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u] else r_5 <-R eae_output_t; r_5)) + )) + + +Applying simplify (non-expanded game) [probability (4 * #OAEncap^2 + N^2) * PCollKey] + - Simplification pass + - Replaced (x_O_1 = x_O_5[ri_50]) with false at 191 + - Remove branch 6 in find at 104 + - Replaced (x_O_1 = x_O[ri_58, ri_59]) with false at 109 + - Remove branch 1 in find at 104 + - Replaced (x_O = x_O_5[ri_40]) with false at 381 + - Remove branch 6 in find at 294 + - Replaced (x_O = x_O_1[ri_46, ri_47]) with false at 317 + - Remove branch 2 in find at 294 + - Replaced (x_O_3 = x_O_5[ri_30]) with false at 650 + - Remove branch 6 in find at 563 + - Replaced (x_O_2 = x_O_5[ri_20]) with false at 822 + - Remove branch 6 in find at 735 + - Replaced (x_O_4 = x_O_5[ri_10]) with false at 946 + - Remove branch 6 in find at 873 + - Replaced (x_O_5 = x_O_4[ri_1]) with false at 1026 + - Remove branch 5 in find at 963 + - Replaced (x_O_5 = x_O_3[ri_2, ri_3]) with false at 1013 + - Remove branch 4 in find at 963 + - Replaced (x_O_5 = x_O_2[ri_4, ri_5]) with false at 998 + - Remove branch 3 in find at 963 + - Replaced (x_O_5 = x_O_1[ri_6, ri_7]) with false at 983 + - Remove branch 2 in find at 963 + - Replaced (x_O_5 = x_O[ri_8, ri_9]) with false at 968 + - Remove branch 1 in find at 963 +yields + +Game 31 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + zz_14: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); {104}find [unique] u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_1[ri_56, ri_57], r_1[ri_56, ri_57]) && (x_O_1 = x_O_1[ri_56, ri_57]) then r_1[u_56, u_57] orfind u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_2[ri_54, ri_55], r_2[ri_54, ri_55]) && (x_O_1 = x_O_2[ri_54, ri_55]) then r_2[u_54, u_55] orfind u_52 = ri_52 <= Qdperuser, u_53 = ri_53 <= N suchthat defined(x_O_3[ri_52, ri_53], r_3[ri_52, ri_53]) && (x_O_1 = x_O_3[ri_52, ri_53]) then r_3[u_52, u_53] orfind u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O_1 = x_O_4[ri_51]) then r_4[u_51] else r_1 <-R eae_output_t; r_1); + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + zz_15: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); {264}find [unique] u_48 = ri_48 <= Qeperuser, u_49 = ri_49 <= N suchthat defined(x_O[ri_48, ri_49], r[ri_48, ri_49]) && (x_O = x_O[ri_48, ri_49]) then r[u_48, u_49] orfind u_44 = ri_44 <= Qdperuser, u_45 = ri_45 <= N suchthat defined(x_O_2[ri_44, ri_45], r_2[ri_44, ri_45]) && (x_O = x_O_2[ri_44, ri_45]) then r_2[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_3[ri_42, ri_43], r_3[ri_42, ri_43]) && (x_O = x_O_3[ri_42, ri_43]) then r_3[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O = x_O_4[ri_41]) then r_4[u_41] else r <-R eae_output_t; r); + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_12: eae_output_t <- (x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {503}find [unique] u_38 = ri_38 <= Qeperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && (x_O_3 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_3 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_3 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_3 = x_O_3[ri_32, ri_33]) then r_3[u_32, u_33] orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_3 = x_O_4[ri_31]) then r_4[u_31] else r_3 <-R eae_output_t; r_3); + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_13: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {663}find [unique] u_28 = ri_28 <= Qeperuser, u_29 = ri_29 <= N suchthat defined(x_O[ri_28, ri_29], r[ri_28, ri_29]) && (x_O_2 = x_O[ri_28, ri_29]) then r[u_28, u_29] orfind u_26 = ri_26 <= Qeperuser, u_27 = ri_27 <= N suchthat defined(x_O_1[ri_26, ri_27], r_1[ri_26, ri_27]) && (x_O_2 = x_O_1[ri_26, ri_27]) then r_1[u_26, u_27] orfind u_24 = ri_24 <= Qdperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_2 = x_O_2[ri_24, ri_25]) then r_2[u_24, u_25] orfind u_22 = ri_22 <= Qdperuser, u_23 = ri_23 <= N suchthat defined(x_O_3[ri_22, ri_23], r_3[ri_22, ri_23]) && (x_O_2 = x_O_3[ri_22, ri_23]) then r_3[u_22, u_23] orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_2 = x_O_4[ri_21]) then r_4[u_21] else r_2 <-R eae_output_t; r_2); + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return((x_O_4: eae_input_t <- x1; find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then r[u_18, u_19] orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then r_1[u_16, u_17] orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then r_2[u_14, u_15] orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then r_3[u_12, u_13] orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then r_4[u_11] else r_4 <-R eae_output_t; r_4)) + else + return((x_O_5: eae_input_t <- x1; find [unique] u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then r_5[u] else r_5 <-R eae_output_t; r_5)) + )) + + +Applying expand [probability (2 * #OAEncap^2 + #OAEncap * N + #OAEncap * #OADecap + N^2 + #OADecap * N) * PCollKey] + - Expand if/find/let + - Remove branch 4 in find at 663 + - Remove branch 2 in find at 663 + - Remove branch 1 in find at 663 + - Remove branch 3 in find at 503 + - Remove branch 2 in find at 503 + - Remove branch 1 in find at 503 + - Remove branch 3 in find at 264 + - Remove branch 2 in find at 264 + - Remove branch 1 in find at 264 + - Remove branch 3 in find at 104 + - Remove branch 2 in find at 104 + - Remove branch 1 in find at 104 +yields + +Game 32 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + find [unique] u_51 = ri_51 <= Qh suchthat defined(x_O_4[ri_51], r_4[ri_51]) && (x_O_1 = x_O_4[ri_51]) then + zz_14: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(zz_14, enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(zz_14, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); + find [unique] u_41 = ri_41 <= Qh suchthat defined(x_O_4[ri_41], r_4[ri_41]) && (x_O = x_O_4[ri_41]) then + zz_15: eae_output_t <- r_4[u_41]; + return(AuthEncap_tuple(zz_15, enc_8)) + else + r <-R eae_output_t; + zz_15: eae_output_t <- r; + return(AuthEncap_tuple(zz_15, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && (x_O_3 = x_O_3[ri_32, ri_33]) then + zz_12: eae_output_t <- r_3[u_32, u_33]; + return(AuthDecap_Some(zz_12)) + orfind u_31 = ri_31 <= Qh suchthat defined(x_O_4[ri_31], r_4[ri_31]) && (x_O_3 = x_O_4[ri_31]) then + zz_12: eae_output_t <- r_4[u_31]; + return(AuthDecap_Some(zz_12)) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(zz_12)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_24 = ri_24 <= Qdperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && (x_O_2 = x_O_2[ri_24, ri_25]) then + zz_13: eae_output_t <- r_2[u_24, u_25]; + return(AuthDecap_Some(zz_13)) + orfind u_21 = ri_21 <= Qh suchthat defined(x_O_4[ri_21], r_4[ri_21]) && (x_O_2 = x_O_4[ri_21]) then + zz_13: eae_output_t <- r_4[u_21]; + return(AuthDecap_Some(zz_13)) + else + r_2 <-R eae_output_t; + zz_13: eae_output_t <- r_2; + return(AuthDecap_Some(zz_13)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- x1; + find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && (x_O_4 = x_O[ri_18, ri_19]) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && (x_O_4 = x_O_1[ri_16, ri_17]) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && (x_O_4 = x_O_2[ri_14, ri_15]) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && (x_O_4 = x_O_3[ri_12, ri_13]) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(x_O_4[ri_11], r_4[ri_11]) && (x_O_4 = x_O_4[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- x1; + find [unique] u = ri <= Qh suchthat defined(x_O_5[ri], r_5[ri]) && (x_O_5 = x_O_5[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_O_5 (definition point kept, all usages removed) + - Remove assignments on x_O_4 (definition point kept, all usages removed) + - Remove assignments on zz_13 (definition removed, all usages removed) + - Remove assignments on zz_13 (definition removed, all usages removed) + - Remove assignments on zz_13 (definition removed, all usages removed) + - Remove assignments on zz_12 (definition kept, array references kept) + - Remove assignments on zz_12 (definition kept, array references kept) + - Remove assignments on zz_12 (definition kept, array references kept) + - Remove assignments on zz_15 (definition removed, all usages removed) + - Remove assignments on zz_15 (definition removed, all usages removed) + - Remove assignments on zz_14 (definition kept, array references kept) + - Remove assignments on zz_14 (definition kept, array references kept) +yields + +Game 33 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + {103} find [unique] u_51 = ri_51 <= Qh suchthat defined(x1[ri_51], x_O_4[ri_51], r_4[ri_51]) && {107}(x_O_1 = x1[ri_51]) then + zz_14: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(r_4[u_51], enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); + {224} find [unique] u_41 = ri_41 <= Qh suchthat defined(x1[ri_41], x_O_4[ri_41], r_4[ri_41]) && {228}(x_O = x1[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + {413} find [unique] u_32 = ri_32 <= Qdperuser, u_33 = ri_33 <= N suchthat defined(x_O_3[ri_32, ri_33], r_3[ri_32, ri_33]) && {418}(x_O_3 = x_O_3[ri_32, ri_33]) then + zz_12: eae_output_t <- r_3[u_32, u_33]; + return(AuthDecap_Some(r_3[u_32, u_33])) + orfind u_31 = ri_31 <= Qh suchthat defined(x1[ri_31], x_O_4[ri_31], r_4[ri_31]) && {448}(x_O_3 = x1[ri_31]) then + zz_12: eae_output_t <- r_4[u_31]; + return(AuthDecap_Some(r_4[u_31])) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + {544} find [unique] u_24 = ri_24 <= Qdperuser, u_25 = ri_25 <= N suchthat defined(x_O_2[ri_24, ri_25], r_2[ri_24, ri_25]) && {549}(x_O_2 = x_O_2[ri_24, ri_25]) then + return(AuthDecap_Some(r_2[u_24, u_25])) + orfind u_21 = ri_21 <= Qh suchthat defined(x1[ri_21], x_O_4[ri_21], r_4[ri_21]) && {570}(x_O_2 = x1[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- cst_eae_input_t; + {619} find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(x_O[ri_18, ri_19], r[ri_18, ri_19]) && {624}(x1 = x_O[ri_18, ri_19]) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(x_O_1[ri_16, ri_17], r_1[ri_16, ri_17]) && {642}(x1 = x_O_1[ri_16, ri_17]) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(x_O_2[ri_14, ri_15], r_2[ri_14, ri_15]) && {660}(x1 = x_O_2[ri_14, ri_15]) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(x_O_3[ri_12, ri_13], r_3[ri_12, ri_13]) && {678}(x1 = x_O_3[ri_12, ri_13]) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(x1[ri_11], x_O_4[ri_11], r_4[ri_11]) && {695}(x1 = x1[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- cst_eae_input_t; + {715} find [unique] u = ri <= Qh suchthat defined(x1[ri], x_O_5[ri], r_5[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying simplify [probability (N^2 + #OADecap * N) * PCollKey] + - Simplification pass + - Replaced defined condition x1[ri], x_O_5[ri], r_5[ri] with r_5[ri], x1[ri] in find at 715 + - Replaced (x1 = x1[ri_11]) with ((pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11])) at 695 + - Replaced defined condition x1[ri_11], x_O_4[ri_11], r_4[ri_11] with r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11] in find at 619 + - Replaced (x1 = x_O_3[ri_12, ri_13]) with ((pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 678 + - Replaced defined condition x_O_3[ri_12, ri_13], r_3[ri_12, ri_13] with r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13] in find at 619 + - Replaced (x1 = x_O_2[ri_14, ri_15]) with ((pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 660 + - Replaced defined condition x_O_2[ri_14, ri_15], r_2[ri_14, ri_15] with r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15] in find at 619 + - Replaced (x1 = x_O_1[ri_16, ri_17]) with ((pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 642 + - Replaced defined condition x_O_1[ri_16, ri_17], r_1[ri_16, ri_17] with r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17] in find at 619 + - Replaced (x1 = x_O[ri_18, ri_19]) with ((pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 624 + - Replaced defined condition x_O[ri_18, ri_19], r[ri_18, ri_19] with r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19] in find at 619 + - Replaced (x_O_2 = x1[ri_21]) with ((pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21])) at 570 + - Replaced defined condition x1[ri_21], x_O_4[ri_21], r_4[ri_21] with r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21] in find at 544 + - Replaced (x_O_2 = x_O_2[ri_24, ri_25]) with ((pk_S = pk_S[ri_24, ri_25]) && (i = ri_25) && (pkE_3 = pkE_3[ri_24, ri_25])) at 549 + - In branch 1 of find at 544, substituting u_25 with i + - Replaced defined condition x_O_2[ri_24, ri_25], r_2[ri_24, ri_25] with r_2[ri_24], pkE_3[ri_24], pk_S[ri_24] in find at 544 + - Replaced (x_O_3 = x1[ri_31]) with ((pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31])) at 448 + - Replaced defined condition x1[ri_31], x_O_4[ri_31], r_4[ri_31] with r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31] in find at 413 + - Replaced (x_O_3 = x_O_3[ri_32, ri_33]) with ((i1_6 = i1_6[ri_32, ri_33]) && (i = ri_33) && (pkE_3 = pkE_3[ri_32, ri_33])) at 418 + - Remove branch 1 in find at 413 + - Replaced (x_O = x1[ri_41]) with ((pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41])) at 228 + - Replaced defined condition x1[ri_41], x_O_4[ri_41], r_4[ri_41] with r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41] in find at 224 + - Replaced (x_O_1 = x1[ri_51]) with ((pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51])) at 107 + - Replaced defined condition x1[ri_51], x_O_4[ri_51], r_4[ri_51] with r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51] in find at 103 +yields + +Game 34 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_14: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(r_4[u_51], enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); + find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + zz_12: eae_output_t <- r_4[u_31]; + return(AuthDecap_Some(r_4[u_31])) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && {789}((pk_S = pk_S[ri_24]) && (i = i) && (pkE_3 = pkE_3[ri_24])) then + u_25 <= N <- i; + return(AuthDecap_Some(r_2[u_24])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- cst_eae_input_t; + find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- cst_eae_input_t; + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying simplify + - Simplification pass + - Replaced ((pk_S = pk_S[ri_24]) && (i = i) && (pkE_3 = pkE_3[ri_24])) with ((pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24])) at 789 +yields + +Game 35 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_12: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_7: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_13); + info_7: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_12); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_7, info_7); + find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_14: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(r_4[u_51], enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_13: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key_8: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_14); + info_8: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_13); + x_O: eae_input_t <- eae_input(lbytes_empty, key_8, info_8); + find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_5: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_3, pkR_5, pk_S); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_3: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + zz_12: eae_output_t <- r_4[u_31]; + return(AuthDecap_Some(r_4[u_31])) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_3, pkR_6, pk_S); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_12); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then + u_25 <= N <- i; + return(AuthDecap_Some(r_2[u_24])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_4: eae_input_t <- cst_eae_input_t; + find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + x_O_5: eae_input_t <- cst_eae_input_t; + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying move all binders + - Move assignment to x_O_5 + - Move assignment to x_O_4 + - Move assignment to x_O_2 + - Move assignment to info_6 + - Move assignment to key_6 + - Move assignment to kemContext_11 + - Move assignment to x_O_3 + - Move assignment to info_5 + - Move assignment to key_5 + - Move assignment to kemContext_10 + - Move assignment to x_O + - Move assignment to info_8 + - Move assignment to key_8 + - Move assignment to kemContext_13 + - Move assignment to x_O_1 + - Move assignment to info_7 + - Move assignment to key_7 + - Move assignment to kemContext_12 +yields + +Game 36 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + dh_13: GG_t <- concatDH(exp(g, mult(sk[i1_10], z_2)), exp(g, mult(sk[i1_10], sk))); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_14: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(r_4[u_51], enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + dh_14: GG_t <- concatDH(exp(pk_R, z_3), exp(pk_R, sk)); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + dh_11: GG_t <- concatDH(exp(pkE_3, sk), exp(g, mult(sk[i1_6], sk))); + pkR_5: G_t <- exp(g, sk); + find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + zz_12: eae_output_t <- r_4[u_31]; + return(AuthDecap_Some(r_4[u_31])) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + dh_12: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_6: G_t <- exp(g, sk); + find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then + u_25 <= N <- i; + return(AuthDecap_Some(r_2[u_24])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying remove assignments of findcond + - Remove assignments on dh_12 (definition removed, all usages removed) + - Remove assignments on u_25 (definition removed, all usages removed) + - Remove assignments on dh_11 (definition removed, all usages removed) + - Remove assignments on dh_14 (definition removed, all usages removed) + - Remove assignments on dh_13 (definition removed, all usages removed) +yields + +Game 37 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (exp(g, mult(sk[i1_10], sk)) = dh2[ri_51]) && (exp(g, mult(sk[i1_10], z_2)) = dh1[ri_51]) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_14: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(r_4[u_51], enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (exp(pk_R, sk) = dh2[ri_41]) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (exp(g, sk[i1_9]) = pk_S) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + pkR_5: G_t <- exp(g, sk); + find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_31]) && (exp(pkE_3, sk) = dh1[ri_31]) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + zz_12: eae_output_t <- r_4[u_31]; + return(AuthDecap_Some(r_4[u_31])) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + pkR_6: G_t <- exp(g, sk); + find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then + return(AuthDecap_Some(r_2[u_24])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (exp(pk_S, sk) = dh2[ri_21]) && (exp(pkE_3, sk) = dh1[ri_21]) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], z_2[ri_16, ri_17], sk[ri_17], sk[i1_10[ri_16, ri_17]], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_10[ri_16, ri_17]], sk[ri_17]))) && (dh1 = exp(g, mult(sk[i1_10[ri_16, ri_17]], z_2[ri_16, ri_17]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(pkE_3[ri_12, ri_13], sk[ri_13])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying equivalence gdh(exp) with z_2, sk. [probability Adv_sqGDH(time_1, 7 * Qh) + (N + #OAEncap) * PDistRerandom + (2 * #OAEncap^2 + N^2) * PCollKey] + - Equivalence gdh(exp) with variables: sk -> a, z_2 -> a. +yields + +Game 38 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (m_1: G_t <- pk_R; (m_1 = exp(g, sk[i1_11]))) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + {49} find [unique] u_51 = ri_51 <= Qh suchthat defined(r_4[ri_51], salt[ri_51], protocol1[ri_51], suite1[ri_51], label1[ri_51], dh1[ri_51], dh2[ri_51], l[ri_51], protocol2[ri_51], suite2[ri_51], label2[ri_51], pkE'[ri_51], pkR'[ri_51], pkS'[ri_51]) && (pkS = pkS'[ri_51]) && (pk_R = pkR'[ri_51]) && (pkE_2 = pkE'[ri_51]) && (label_shared_secret = label2[ri_51]) && (suite_id = suite2[ri_51]) && (RFCXXXX = protocol2[ri_51]) && (I2OSP2(Nsecret) = l[ri_51]) && (m_3: G_t <- dh2[ri_51]; false) && (m_2: G_t <- dh1[ri_51]; false) && (label_eae_prk = label1[ri_51]) && (suite_id = suite1[ri_51]) && (RFCXXXX = protocol1[ri_51]) && (lbytes_empty = salt[ri_51]) then + zz_14: eae_output_t <- r_4[u_51]; + return(AuthEncap_tuple(r_4[u_51], enc_7)) + else + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m: G_t <- dh2[ri_41]; m': G_t <- pk_R; (m = exp(m', sk))) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (m_9: G_t <- pk_S; (m_9 = exp(g, sk[i1_9]))) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_6: G_t <- pk_S; (m_6 = exp(g, sk[i1_7]))) then + pkR_5: G_t <- exp(g, sk); + {425} find [unique] u_31 = ri_31 <= Qh suchthat defined(r_4[ri_31], salt[ri_31], protocol1[ri_31], suite1[ri_31], label1[ri_31], dh1[ri_31], dh2[ri_31], l[ri_31], protocol2[ri_31], suite2[ri_31], label2[ri_31], pkE'[ri_31], pkR'[ri_31], pkS'[ri_31]) && (pk_S = pkS'[ri_31]) && (pkR_5 = pkR'[ri_31]) && (pkE_3 = pkE'[ri_31]) && (label_shared_secret = label2[ri_31]) && (suite_id = suite2[ri_31]) && (RFCXXXX = protocol2[ri_31]) && (I2OSP2(Nsecret) = l[ri_31]) && (m_8: G_t <- dh2[ri_31]; false) && (m_7: G_t <- dh1[ri_31]; m'_3: G_t <- pkE_3; (m_7 = exp(m'_3, sk))) && (label_eae_prk = label1[ri_31]) && (suite_id = suite1[ri_31]) && (RFCXXXX = protocol1[ri_31]) && (lbytes_empty = salt[ri_31]) then + zz_12: eae_output_t <- r_4[u_31]; + return(AuthDecap_Some(r_4[u_31])) + else + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + pkR_6: G_t <- exp(g, sk); + find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then + return(AuthDecap_Some(r_2[u_24])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_5: G_t <- dh2[ri_21]; m'_2: G_t <- pk_S; (m_5 = exp(m'_2, sk))) && (m_4: G_t <- dh1[ri_21]; m'_1: G_t <- pkE_3; (m_4 = exp(m'_1, sk))) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + {741} find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_10: G_t <- dh2; m'_4: G_t <- pk_R[ri_18, ri_19]; (m_10 = exp(m'_4, sk[ri_19]))) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_16 = ri_16 <= Qeperuser, u_17 = ri_17 <= N suchthat defined(r_1[ri_16, ri_17], pkE_2[ri_16, ri_17], pk_R[ri_16, ri_17], pkS[ri_16, ri_17]) && (pkS' = pkS[ri_16, ri_17]) && (pkR' = pk_R[ri_16, ri_17]) && (pkE' = pkE_2[ri_16, ri_17]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_12: G_t <- dh2; false) && (m_11: G_t <- dh1; false) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_16, u_17]) + orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14: G_t <- dh2; m'_6: G_t <- pk_S[ri_14, ri_15]; (m_14 = exp(m'_6, sk[ri_15]))) && (m_13: G_t <- dh1; m'_5: G_t <- pkE_3[ri_14, ri_15]; (m_13 = exp(m'_5, sk[ri_15]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_3[ri_12, ri_13], sk[ri_13], pkE_3[ri_12, ri_13], pkR_5[ri_12, ri_13], pk_S[ri_12, ri_13]) && (pkS' = pk_S[ri_12, ri_13]) && (pkR' = pkR_5[ri_12, ri_13]) && (pkE' = pkE_3[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_16: G_t <- dh2; false) && (m_15: G_t <- dh1; m'_7: G_t <- pkE_3[ri_12, ri_13]; (m_15 = exp(m'_7, sk[ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_3[u_12, u_13]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying expand + - Expand if/find/let + - Remove branch 4 in find at 741 + - Remove branch 2 in find at 741 + - Remove branch 1 in find at 425 + - Find at 425 removed (else branch kept if any) + - Remove branch 1 in find at 49 + - Find at 49 removed (else branch kept if any) +yields + +Game 39 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (m_1: G_t <- pk_R; (m_1 = exp(g, sk[i1_11]))) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + r_1 <-R eae_output_t; + zz_14: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (m: G_t <- dh2[ri_41]; m': G_t <- pk_R; ((pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (m = exp(m', sk)) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]))) then + return(AuthEncap_tuple(r_4[u_41], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_14[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (m_9: G_t <- pk_S; ((i = i1_10[ie1_3, i1_9]) && (m_9 = exp(g, sk[i1_9])) && (pkE_2[ie1_3, i1_9] = pkE_3))) then + return(AuthDecap_Some(zz_14[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(zz_12[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(zz_12[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_6: G_t <- pk_S; (m_6 = exp(g, sk[i1_7]))) then + pkR_5: G_t <- exp(g, sk); + r_3 <-R eae_output_t; + zz_12: eae_output_t <- r_3; + return(AuthDecap_Some(r_3)) + else + pkR_6: G_t <- exp(g, sk); + find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then + return(AuthDecap_Some(r_2[u_24])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (m_5: G_t <- dh2[ri_21]; m'_2: G_t <- pk_S; m_4: G_t <- dh1[ri_21]; m'_1: G_t <- pkE_3; ((pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (m_5 = exp(m'_2, sk)) && (m_4 = exp(m'_1, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]))) then + return(AuthDecap_Some(r_4[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (m_10: G_t <- dh2; m'_4: G_t <- pk_R[ri_18, ri_19]; ((pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_10 = exp(m'_4, sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r[u_18, u_19]) + orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (m_14: G_t <- dh2; m'_6: G_t <- pk_S[ri_14, ri_15]; m_13: G_t <- dh1; m'_5: G_t <- pkE_3[ri_14, ri_15]; ((pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14 = exp(m'_6, sk[ri_15])) && (m_13 = exp(m'_5, sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r_2[u_14, u_15]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + + +Applying remove assignments of findcond + - Remove assignments on m_10 (definition removed, all usages removed) + - Remove assignments on m'_4 (definition removed, all usages removed) + - Remove assignments on m_14 (definition removed, all usages removed) + - Remove assignments on m'_6 (definition removed, all usages removed) + - Remove assignments on m_13 (definition removed, all usages removed) + - Remove assignments on m'_5 (definition removed, all usages removed) + - Remove assignments on m_5 (definition removed, all usages removed) + - Remove assignments on m'_2 (definition removed, all usages removed) + - Remove assignments on m_4 (definition removed, all usages removed) + - Remove assignments on m'_1 (definition removed, all usages removed) + - Remove assignments on pkR_5 (definition removed, all usages removed) + - Remove assignments on zz_12 (definition removed, all usages removed) + - Remove assignments on m_6 (definition removed, all usages removed) + - Remove assignments on m_9 (definition removed, all usages removed) + - Remove assignments on m (definition removed, all usages removed) + - Remove assignments on m' (definition removed, all usages removed) + - Remove assignments on zz_14 (definition removed, all usages removed) + - Remove assignments on m_1 (definition removed, all usages removed) +yields + +Game 40 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_10 = i1_11 <= N suchthat defined(sk[i1_11]) && (pk_R = exp(g, sk[i1_11])) then + z_2 <-R Z_t; + pkE_2: G_t <- exp(g, z_2); + enc_7: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_7)) + else + z_3 <-R Z_t; + pkE_2: G_t <- exp(g, z_3); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + find [unique] u_41 = ri_41 <= Qh suchthat defined(r_4[ri_41], salt[ri_41], protocol1[ri_41], suite1[ri_41], label1[ri_41], dh1[ri_41], dh2[ri_41], l[ri_41], protocol2[ri_41], suite2[ri_41], label2[ri_41], pkE'[ri_41], pkR'[ri_41], pkS'[ri_41]) && (pkS = pkS'[ri_41]) && (pk_R = pkR'[ri_41]) && (pkE_2 = pkE'[ri_41]) && (label_shared_secret = label2[ri_41]) && (suite_id = suite2[ri_41]) && (RFCXXXX = protocol2[ri_41]) && (I2OSP2(Nsecret) = l[ri_41]) && (dh2[ri_41] = exp(pk_R, sk)) && (exp(pk_R, z_3) = dh1[ri_41]) && (label_eae_prk = label1[ri_41]) && (suite_id = suite1[ri_41]) && (RFCXXXX = protocol1[ri_41]) && (lbytes_empty = salt[ri_41]) then + return(AuthEncap_tuple(r_4[u_41], enc_8)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_8)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(r_1[ie1_3, i1_9], pkE_2[ie1_3, i1_9], sk[i1_9], i1_10[ie1_3, i1_9]) && (i = i1_10[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (pkE_2[ie1_3, i1_9] = pkE_3) then + return(AuthDecap_Some(r_1[ie1_2, i1_8])) + orfind id1_2 = id1_3 <= Qdperuser suchthat defined(r_3[id1_3], pkE_3[id1_3], pk_S[id1_3]) && (pk_S[id1_3] = pk_S) && (pkE_3[id1_3] = pkE_3) then + return(AuthDecap_Some(r_3[id1_2])) + else + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_S = exp(g, sk[i1_7])) then + r_3 <-R eae_output_t; + return(AuthDecap_Some(r_3)) + else + pkR_6: G_t <- exp(g, sk); + find [unique] u_24 = ri_24 <= Qdperuser suchthat defined(r_2[ri_24], pkE_3[ri_24], pk_S[ri_24]) && (pk_S = pk_S[ri_24]) && (pkE_3 = pkE_3[ri_24]) then + return(AuthDecap_Some(r_2[u_24])) + orfind u_21 = ri_21 <= Qh suchthat defined(r_4[ri_21], salt[ri_21], protocol1[ri_21], suite1[ri_21], label1[ri_21], dh1[ri_21], dh2[ri_21], l[ri_21], protocol2[ri_21], suite2[ri_21], label2[ri_21], pkE'[ri_21], pkR'[ri_21], pkS'[ri_21]) && (pk_S = pkS'[ri_21]) && (pkR_6 = pkR'[ri_21]) && (pkE_3 = pkE'[ri_21]) && (label_shared_secret = label2[ri_21]) && (suite_id = suite2[ri_21]) && (RFCXXXX = protocol2[ri_21]) && (I2OSP2(Nsecret) = l[ri_21]) && (dh2[ri_21] = exp(pk_S, sk)) && (dh1[ri_21] = exp(pkE_3, sk)) && (label_eae_prk = label1[ri_21]) && (suite_id = suite1[ri_21]) && (RFCXXXX = protocol1[ri_21]) && (lbytes_empty = salt[ri_21]) then + return(AuthDecap_Some(r_4[u_21])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_18 = ri_18 <= Qeperuser, u_19 = ri_19 <= N suchthat defined(r[ri_18, ri_19], z_3[ri_18, ri_19], sk[ri_19], pkE_2[ri_18, ri_19], pk_R[ri_18, ri_19], pkS[ri_18, ri_19]) && (pkS' = pkS[ri_18, ri_19]) && (pkR' = pk_R[ri_18, ri_19]) && (pkE' = pkE_2[ri_18, ri_19]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_18, ri_19], sk[ri_19])) && (dh1 = exp(pk_R[ri_18, ri_19], z_3[ri_18, ri_19])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_18, u_19]) + orfind u_14 = ri_14 <= Qdperuser, u_15 = ri_15 <= N suchthat defined(r_2[ri_14, ri_15], sk[ri_15], pkE_3[ri_14, ri_15], pkR_6[ri_14, ri_15], pk_S[ri_14, ri_15]) && (pkS' = pk_S[ri_14, ri_15]) && (pkR' = pkR_6[ri_14, ri_15]) && (pkE' = pkE_3[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pkE_3[ri_14, ri_15], sk[ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_14, u_15]) + orfind u_11 = ri_11 <= Qh suchthat defined(r_4[ri_11], salt[ri_11], protocol1[ri_11], suite1[ri_11], label1[ri_11], dh1[ri_11], dh2[ri_11], l[ri_11], protocol2[ri_11], suite2[ri_11], label2[ri_11], pkE'[ri_11], pkR'[ri_11], pkS'[ri_11]) && (pkS' = pkS'[ri_11]) && (pkR' = pkR'[ri_11]) && (pkE' = pkE'[ri_11]) && (label2 = label2[ri_11]) && (suite2 = suite2[ri_11]) && (protocol2 = protocol2[ri_11]) && (l = l[ri_11]) && (dh2 = dh2[ri_11]) && (dh1 = dh1[ri_11]) && (label1 = label1[ri_11]) && (suite1 = suite1[ri_11]) && (protocol1 = protocol1[ri_11]) && (salt = salt[ri_11]) then + return(r_4[u_11]) + else + r_4 <-R eae_output_t; + return(r_4) + else + find [unique] u = ri <= Qh suchthat defined(r_5[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_5[u]) + else + r_5 <-R eae_output_t; + return(r_5) + )) + +Initial state +Game 41 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + {18} let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (skS_1: Z_t <- sk_1; {22}let (skE_1: Z_t, pkE_7: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_6: bitstring <- Serialize(pkE_7); pkS_3: G_t <- exp(g, skS_1); kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); zz_7: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2))); AuthEncap_tuple(zz_7, enc_6) else AuthEncap_None) in + return(AuthEncap_tuple(k, ce)) + else + return(AuthEncap_None) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(sk_1[i1_2], pk_R_1[ie1, i1_2], k[ie1, i1_2], ce[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && ((exponent_16: Z_t <- sk_1[i1_2]; exp(g, exponent_16)) = pk_S_1) && (ce[ie1, i1_2] = cd) then + return(AuthDecap_Some(k[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser, i1_1 = i1_4 <= N suchthat defined(sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4]) && (exp(g, sk_1) = (exponent_17: Z_t <- sk_1[i1_4]; exp(g, exponent_17))) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd) then + return(AuthDecap_Some(k'[id1_1, i1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = (exponent_15: Z_t <- sk_1[i1]; exp(g, exponent_15))) then + {240} let AuthDecap_Some(k0: eae_output_t) = (skR_1: Z_t <- sk_1; let Serialize(pkE_9: G_t) = cd in dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); pkR_4: G_t <- exp(g, skR_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); zz_9: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4))); AuthDecap_Some(zz_9) else AuthDecap_None) in + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + return((skR_1: Z_t <- sk_1; let Serialize(pkE_8: G_t) = cd in dh_8: GG_t <- concatDH(exp(pkE_8, skR_1), exp(pk_S_1, skR_1)); pkR_3: G_t <- exp(g, skR_1); kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); zz_8: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3))); AuthDecap_Some(zz_8) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying expand [probability N^2 * PCollKey] + - Expand if/find/let + - Remove let at 240 + - Simplify pattern AuthDecap_Some(k0: eae_output_t) (tuple expanded) at 240 + - Remove else branch of let at 240 + - Simplify pattern (skE_1: Z_t, pkE_7: G_t) (tuple expanded) at 22 + - Remove else branch of let at 22 + - Simplify pattern AuthEncap_tuple(k: eae_output_t, ce: bitstring) (tuple expanded) at 18 + - Remove else branch of let at 18 +yields + +Game 42 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + skS_1: Z_t <- sk_1; + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + skE_1: Z_t <- z_1; + dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, skS_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + ce: bitstring <- enc_6; + k: eae_output_t <- zz_7; + return(AuthEncap_tuple(k, ce)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(sk_1[i1_2], pk_R_1[ie1, i1_2], k[ie1, i1_2], ce[ie1, i1_2]) && (exponent_16: Z_t <- sk_1[i1_2]; ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, exponent_16) = pk_S_1) && (ce[ie1, i1_2] = cd))) then + return(AuthDecap_Some(k[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser, i1_1 = i1_4 <= N suchthat defined(sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4]) && (exponent_17: Z_t <- sk_1[i1_4]; ((exp(g, sk_1) = exp(g, exponent_17)) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd))) then + return(AuthDecap_Some(k'[id1_1, i1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (exponent_15: Z_t <- sk_1[i1]; (pk_S_1 = exp(g, exponent_15))) then + skR_1: Z_t <- sk_1; + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); + pkR_4: G_t <- exp(g, skR_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_4, info_4)); + k0: eae_output_t <- zz_9; + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + skR_1: Z_t <- sk_1; + let Serialize(pkE_8: G_t) = cd in + dh_8: GG_t <- concatDH(exp(pkE_8, skR_1), exp(pk_S_1, skR_1)); + pkR_3: G_t <- exp(g, skR_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR_1 (definition removed, all usages removed) + - Remove assignments on skR_1 (definition removed, all usages removed) + - Remove assignments on k0 (definition removed, all usages removed) + - Remove assignments on exponent_15 (definition removed, all usages removed) + - Remove assignments on exponent_16 (definition removed, all usages removed) + - Remove assignments on exponent_17 (definition removed, all usages removed) + - Remove assignments on skS_1 (definition removed, all usages removed) + - Remove assignments on skE_1 (definition removed, all usages removed) + - Remove assignments on ce (definition removed, all usages removed) + - Remove assignments on k (definition removed, all usages removed) + - Remove assignments on zz_9 (definition removed, all usages removed) + - Remove assignments on key_4 (definition removed, all usages removed) + - Remove assignments on info_4 (definition removed, all usages removed) + - Remove assignments on dh_9 (definition removed, all usages removed) + - Remove assignments on kemContext_9 (definition removed, all usages removed) + - Remove assignments on pkR_4 (definition removed, all usages removed) +yields + +Game 43 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + {112} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser, i1_1 = i1_4 <= N suchthat defined(sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4]) && {163}((exp(g, sk_1) = exp(g, sk_1[i1_4])) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd)) then + return(AuthDecap_Some(k'[id1_1, i1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + let Serialize(pkE_9: G_t) = cd in + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + let Serialize(pkE_8: G_t) = cd in + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced ((exp(g, sk_1) = exp(g, sk_1[i1_4])) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd)) with ((i_1 = i1_4) && (pk_S_1[id1, i1_4] = pk_S_1) && (cd[id1, i1_4] = cd)) at 163 + - In branch 2 of find at 112, substituting i1_1 with i_1 + - Replaced defined condition sk_1[i1_4], pk_S_1[id1, i1_4], k'[id1, i1_4], cd[id1, i1_4] with k'[id1], cd[id1], pk_S_1[id1] in find at 112 +yields + +Game 44 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && {162}((i_1 = i_1) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) then + i1_1 <= N <- i_1; + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + let Serialize(pkE_9: G_t) = cd in + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + let Serialize(pkE_8: G_t) = cd in + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify + - Simplification pass + - Replaced ((i_1 = i_1) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) with ((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) at 162 +yields + +Game 45 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd) then + i1_1 <= N <- i_1; + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + let Serialize(pkE_9: G_t) = cd in + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + let Serialize(pkE_8: G_t) = cd in + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on i1_1 (definition removed, all usages removed) +yields + +Game 46 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + {112} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (cd[id1] = cd) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + let Serialize(pkE_9: G_t) = cd in + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + let Serialize(pkE_8: G_t) = cd in + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying insert instruction let Serialize(pkE_10) = cd in at occurrence 112 +yields + +Game 47 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + {116} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {124}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd)) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && {166}((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + {200} let Serialize(pkE_9: G_t) = {201}cd in + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + {216} let Serialize(pkE_8: G_t) = {217}cd in + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + else + {296} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {304}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd)) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], cd[id1], pk_S_1[id1]) && {346}((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + {380} let Serialize(pkE_9: G_t) = cd in + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + return(AuthDecap_None) + else + {396} let Serialize(pkE_8: G_t) = cd in + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify + - Simplification pass + - Remove let at 396 + - Remove let at 380 + - Replaced ((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) with false at 346 + - Remove branch 2 in find at 296 + - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd)) with false at 304 + - Remove branch 1 in find at 296 + - Find at 296 removed (else branch kept if any) + - Replaced cd with Serialize(pkE_10) at 217 + - Remove else branch of let at 216 + - Simplify pattern Serialize(pkE_8: G_t) (tuple expanded) at 216 + - Replaced cd with Serialize(pkE_10) at 201 + - Remove else branch of let at 200 + - Simplify pattern Serialize(pkE_9: G_t) (tuple expanded) at 200 + - Replaced ((pk_S_1[id1] = pk_S_1) && (cd[id1] = cd)) with ((pk_S_1[id1] = pk_S_1) && (pkE_9[id1] = pkE_10)) at 166 + - Replaced defined condition k'[id1], cd[id1], pk_S_1[id1] with k'[id1], pkE_9[id1], pk_S_1[id1] in find at 116 + - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_6[ie1, i1_2] = cd)) with ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) at 124 + - Replaced defined condition enc_6[ie1, i1_2], zz_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] with zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] in find at 116 +yields + +Game 48 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(k'[id1], pkE_9[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_9[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + pkE_9: G_t <- pkE_10; + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + pkE_8: G_t <- pkE_10; + dh_8: GG_t <- concatDH(exp(pkE_8, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + return(AuthDecap_None) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on pkE_8 (definition removed, all usages removed) + - Remove assignments on pkE_9 (definition removed, all usages removed) +yields + +Game 49 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + {280} find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + return(AuthDecap_None) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying merge branches + - Merge all branches of find at 280 +yields + +Game 50 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + {18} z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying insert instruction find i1 <= N suchthat + defined(sk_1[i1]) + && pk_R_1 = exp(g, sk_1[i1]) then at occurrence 18 +yields + +Game 51 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + else + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename z_1 + - Rename variable z_1 into z_5, z_4 +yields + +Game 52 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_7: GG_t <- {36}concatDH(exp(pk_R_1, z_4), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify + - Simplification pass + - Replaced concatDH(exp(pk_R_1, z_4), exp(pk_R_1, sk_1)) with concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))) at 36 +yields + +Game 53 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_7: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename dh_7 + - Rename variable dh_7 into dh_16, dh_15 +yields + +Game 54 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename enc_6 + - Rename variable enc_6 into enc_10, enc_9 +yields + +Game 55 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename kemContext_7 + - Rename variable kemContext_7 into kemContext_15, kemContext_14 +yields + +Game 56 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename key_2 + - Rename variable key_2 into key_10, key_9 +yields + +Game 57 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_2)); + return(AuthEncap_tuple(zz_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_2)); + return(AuthEncap_tuple(zz_7, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename info_2 + - Rename variable info_2 into info_10, info_9 +yields + +Game 58 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); + return(AuthEncap_tuple(zz_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); + return(AuthEncap_tuple(zz_7, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying SA rename zz_7 + - Rename variable zz_7 into zz_17, zz_16 +yields + +Game 59 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_16: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); + return(AuthEncap_tuple(zz_16, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_17: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); + return(AuthEncap_tuple(zz_17, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + {222} find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {230}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_17[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {273}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) then + return(AuthDecap_Some(zz_17[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying simplify [probability (N^2 + #OAEncap * N) * PCollKey] + - Simplification pass + - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) with false at 273 + - Remove branch 2 in find at 222 + - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) with ((i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10)) at 230 + - Replaced defined condition zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] with zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2] in find at 222 +yields + +Game 60 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_16: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); + return(AuthEncap_tuple(zz_16, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_17: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); + return(AuthEncap_tuple(zz_17, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + {399} return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying insert instruction let eae_input( + salt: extract_salt_t, + concatExtract( + protocol1: label_protocol_t, + suite1: suite_id_t, + label1: label_extract_t, + concatDH(dh1: G_t, dh2: G_t)), + concatExpand(l: two_byte_t, + protocol2: label_protocol_t, + suite2: suite_id_t, + label2: label_expand_t, + concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in at occurrence 399 +yields + +Game 61 is + Ostart() := + key_extr_10 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_16: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_9, info_9)); + return(AuthEncap_tuple(zz_16, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_17: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_10, info_10)); + return(AuthEncap_tuple(zz_17, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_10, eae_input(lbytes_empty, key_3, info_3)); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + else + return(ExtractAndExpand_inner(key_extr_10, x1_1)) + )) + + +Applying equivalence rom(ExtractAndExpand_inner) + - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_10 -> hk +yields + +Game 62 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_16: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); {104}find [unique] u_98 = ri_98 <= Qeperuser, u_99 = ri_99 <= N suchthat defined(x_O_6[ri_98, ri_99], r_6[ri_98, ri_99]) && {109}(x_O_7 = x_O_6[ri_98, ri_99]) then r_6[u_98, u_99] orfind u_96 = ri_96 <= Qeperuser, u_97 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_96, u_97] orfind u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_94, u_95] orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_93] orfind u_92 = ri_92 <= Qh suchthat defined(x_O_10[ri_92], r_10[ri_92]) && {173}(x_O_7 = x_O_10[ri_92]) then r_10[u_92] else r_7 <-R eae_output_t; r_7); + return(AuthEncap_tuple(zz_16, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_17: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); {276}find [unique] u_90 = ri_90 <= Qeperuser, u_91 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_90, u_91] orfind u_88 = ri_88 <= Qeperuser, u_89 = ri_89 <= N suchthat defined(x_O_7[ri_88, ri_89], r_7[ri_88, ri_89]) && {299}(x_O_6 = x_O_7[ri_88, ri_89]) then r_7[u_88, u_89] orfind u_86 = ri_86 <= Qdperuser, u_87 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_86, u_87] orfind u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_85] orfind u_84 = ri_84 <= Qh suchthat defined(x_O_10[ri_84], r_10[ri_84]) && {345}(x_O_6 = x_O_10[ri_84]) then r_10[u_84] else r_6 <-R eae_output_t; r_6); + return(AuthEncap_tuple(zz_17, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); {532}find [unique] u_82 = ri_82 <= Qeperuser, u_83 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_82, u_83] orfind u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_80, u_81] orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_78, u_79] orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_77] orfind u_76 = ri_76 <= Qh suchthat defined(x_O_10[ri_76], r_10[ri_76]) && {601}(x_O_8 = x_O_10[ri_76]) then r_10[u_76] else r_8 <-R eae_output_t; r_8); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return((x_O_9: eae_input_t <- x1_1; {652}find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_74, u_75] orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_72, u_73] orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_70, u_71] orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_69] orfind u_68 = ri_68 <= Qh suchthat defined(x_O_10[ri_68], r_10[ri_68]) && {710}(x_O_9 = x_O_10[ri_68]) then r_10[u_68] else r_9 <-R eae_output_t; r_9)) + else + return((x_O_10: eae_input_t <- x1_1; {727}find [unique] u_66 = ri_66 <= Qeperuser, u_67 = ri_67 <= N suchthat defined(x_O_6[ri_66, ri_67], r_6[ri_66, ri_67]) && {732}(x_O_10 = x_O_6[ri_66, ri_67]) then r_6[u_66, u_67] orfind u_64 = ri_64 <= Qeperuser, u_65 = ri_65 <= N suchthat defined(x_O_7[ri_64, ri_65], r_7[ri_64, ri_65]) && {747}(x_O_10 = x_O_7[ri_64, ri_65]) then r_7[u_64, u_65] orfind u_62 = ri_62 <= Qdperuser, u_63 = ri_63 <= N suchthat defined(x_O_8[ri_62, ri_63], r_8[ri_62, ri_63]) && {762}(x_O_10 = x_O_8[ri_62, ri_63]) then r_8[u_62, u_63] orfind u_61 = ri_61 <= Qh suchthat defined(x_O_9[ri_61], r_9[ri_61]) && {775}(x_O_10 = x_O_9[ri_61]) then r_9[u_61] orfind u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_60] else r_10 <-R eae_output_t; r_10)) + )) + + +Applying simplify (non-expanded game) [probability (4 * #OAEncap^2 + N^2) * PCollKey] + - Simplification pass + - Replaced (x_O_7 = x_O_10[ri_92]) with false at 173 + - Remove branch 5 in find at 104 + - Replaced (x_O_7 = x_O_6[ri_98, ri_99]) with false at 109 + - Remove branch 1 in find at 104 + - Replaced (x_O_6 = x_O_10[ri_84]) with false at 345 + - Remove branch 5 in find at 276 + - Replaced (x_O_6 = x_O_7[ri_88, ri_89]) with false at 299 + - Remove branch 2 in find at 276 + - Replaced (x_O_8 = x_O_10[ri_76]) with false at 601 + - Remove branch 5 in find at 532 + - Replaced (x_O_9 = x_O_10[ri_68]) with false at 710 + - Remove branch 5 in find at 652 + - Replaced (x_O_10 = x_O_9[ri_61]) with false at 775 + - Remove branch 4 in find at 727 + - Replaced (x_O_10 = x_O_8[ri_62, ri_63]) with false at 762 + - Remove branch 3 in find at 727 + - Replaced (x_O_10 = x_O_7[ri_64, ri_65]) with false at 747 + - Remove branch 2 in find at 727 + - Replaced (x_O_10 = x_O_6[ri_66, ri_67]) with false at 732 + - Remove branch 1 in find at 727 +yields + +Game 63 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + zz_16: eae_output_t <- (x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); {104}find [unique] u_96 = ri_96 <= Qeperuser, u_97 = ri_97 <= N suchthat defined(x_O_7[ri_96, ri_97], r_7[ri_96, ri_97]) && (x_O_7 = x_O_7[ri_96, ri_97]) then r_7[u_96, u_97] orfind u_94 = ri_94 <= Qdperuser, u_95 = ri_95 <= N suchthat defined(x_O_8[ri_94, ri_95], r_8[ri_94, ri_95]) && (x_O_7 = x_O_8[ri_94, ri_95]) then r_8[u_94, u_95] orfind u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then r_9[u_93] else r_7 <-R eae_output_t; r_7); + return(AuthEncap_tuple(zz_16, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + zz_17: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); {246}find [unique] u_90 = ri_90 <= Qeperuser, u_91 = ri_91 <= N suchthat defined(x_O_6[ri_90, ri_91], r_6[ri_90, ri_91]) && (x_O_6 = x_O_6[ri_90, ri_91]) then r_6[u_90, u_91] orfind u_86 = ri_86 <= Qdperuser, u_87 = ri_87 <= N suchthat defined(x_O_8[ri_86, ri_87], r_8[ri_86, ri_87]) && (x_O_6 = x_O_8[ri_86, ri_87]) then r_8[u_86, u_87] orfind u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then r_9[u_85] else r_6 <-R eae_output_t; r_6); + return(AuthEncap_tuple(zz_17, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- (x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); {472}find [unique] u_82 = ri_82 <= Qeperuser, u_83 = ri_83 <= N suchthat defined(x_O_6[ri_82, ri_83], r_6[ri_82, ri_83]) && (x_O_8 = x_O_6[ri_82, ri_83]) then r_6[u_82, u_83] orfind u_80 = ri_80 <= Qeperuser, u_81 = ri_81 <= N suchthat defined(x_O_7[ri_80, ri_81], r_7[ri_80, ri_81]) && (x_O_8 = x_O_7[ri_80, ri_81]) then r_7[u_80, u_81] orfind u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then r_8[u_78, u_79] orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then r_9[u_77] else r_8 <-R eae_output_t; r_8); + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return((x_O_9: eae_input_t <- x1_1; find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then r_6[u_74, u_75] orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then r_7[u_72, u_73] orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then r_8[u_70, u_71] orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then r_9[u_69] else r_9 <-R eae_output_t; r_9)) + else + return((x_O_10: eae_input_t <- x1_1; find [unique] u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then r_10[u_60] else r_10 <-R eae_output_t; r_10)) + )) + + +Applying expand [probability (2 * #OAEncap^2 + #OAEncap * N + #OAEncap * #OADecap + N^2 + #OADecap * N) * PCollKey] + - Expand if/find/let + - Remove branch 2 in find at 472 + - Remove branch 1 in find at 472 + - Remove branch 2 in find at 246 + - Remove branch 1 in find at 246 + - Remove branch 2 in find at 104 + - Remove branch 1 in find at 104 +yields + +Game 64 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); + find [unique] u_93 = ri_93 <= Qh suchthat defined(x_O_9[ri_93], r_9[ri_93]) && (x_O_7 = x_O_9[ri_93]) then + zz_16: eae_output_t <- r_9[u_93]; + return(AuthEncap_tuple(zz_16, enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(zz_16, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); + find [unique] u_85 = ri_85 <= Qh suchthat defined(x_O_9[ri_85], r_9[ri_85]) && (x_O_6 = x_O_9[ri_85]) then + zz_17: eae_output_t <- r_9[u_85]; + return(AuthEncap_tuple(zz_17, enc_10)) + else + r_6 <-R eae_output_t; + zz_17: eae_output_t <- r_6; + return(AuthEncap_tuple(zz_17, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); + find [unique] u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && (x_O_8 = x_O_8[ri_78, ri_79]) then + zz_8: eae_output_t <- r_8[u_78, u_79]; + return(AuthDecap_Some(zz_8)) + orfind u_77 = ri_77 <= Qh suchthat defined(x_O_9[ri_77], r_9[ri_77]) && (x_O_8 = x_O_9[ri_77]) then + zz_8: eae_output_t <- r_9[u_77]; + return(AuthDecap_Some(zz_8)) + else + r_8 <-R eae_output_t; + zz_8: eae_output_t <- r_8; + return(AuthDecap_Some(zz_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- x1_1; + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && (x_O_9 = x_O_6[ri_74, ri_75]) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && (x_O_9 = x_O_7[ri_72, ri_73]) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && (x_O_9 = x_O_8[ri_70, ri_71]) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(x_O_9[ri_69], r_9[ri_69]) && (x_O_9 = x_O_9[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- x1_1; + find [unique] u_60 = ri_60 <= Qh suchthat defined(x_O_10[ri_60], r_10[ri_60]) && (x_O_10 = x_O_10[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_O_10 (definition point kept, all usages removed) + - Remove assignments on x_O_9 (definition point kept, all usages removed) + - Remove assignments on zz_8 (definition removed, all usages removed) + - Remove assignments on zz_8 (definition removed, all usages removed) + - Remove assignments on zz_8 (definition removed, all usages removed) + - Remove assignments on zz_17 (definition removed, all usages removed) + - Remove assignments on zz_17 (definition removed, all usages removed) + - Remove assignments on zz_16 (definition kept, array references kept) + - Remove assignments on zz_16 (definition kept, array references kept) +yields + +Game 65 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); + {103} find [unique] u_93 = ri_93 <= Qh suchthat defined(x1_1[ri_93], x_O_9[ri_93], r_9[ri_93]) && {107}(x_O_7 = x1_1[ri_93]) then + zz_16: eae_output_t <- r_9[u_93]; + return(AuthEncap_tuple(r_9[u_93], enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); + {224} find [unique] u_85 = ri_85 <= Qh suchthat defined(x1_1[ri_85], x_O_9[ri_85], r_9[ri_85]) && {228}(x_O_6 = x1_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); + {418} find [unique] u_78 = ri_78 <= Qdperuser, u_79 = ri_79 <= N suchthat defined(x_O_8[ri_78, ri_79], r_8[ri_78, ri_79]) && {423}(x_O_8 = x_O_8[ri_78, ri_79]) then + return(AuthDecap_Some(r_8[u_78, u_79])) + orfind u_77 = ri_77 <= Qh suchthat defined(x1_1[ri_77], x_O_9[ri_77], r_9[ri_77]) && {444}(x_O_8 = x1_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- cst_eae_input_t; + {493} find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(x_O_6[ri_74, ri_75], r_6[ri_74, ri_75]) && {498}(x1_1 = x_O_6[ri_74, ri_75]) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(x_O_7[ri_72, ri_73], r_7[ri_72, ri_73]) && {516}(x1_1 = x_O_7[ri_72, ri_73]) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(x_O_8[ri_70, ri_71], r_8[ri_70, ri_71]) && {534}(x1_1 = x_O_8[ri_70, ri_71]) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(x1_1[ri_69], x_O_9[ri_69], r_9[ri_69]) && {551}(x1_1 = x1_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- cst_eae_input_t; + {571} find [unique] u_60 = ri_60 <= Qh suchthat defined(x1_1[ri_60], x_O_10[ri_60], r_10[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying simplify [probability (N^2 + #OADecap * N) * PCollKey] + - Simplification pass + - Replaced defined condition x1_1[ri_60], x_O_10[ri_60], r_10[ri_60] with r_10[ri_60], x1_1[ri_60] in find at 571 + - Replaced (x1_1 = x1_1[ri_69]) with ((pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69])) at 551 + - Replaced defined condition x1_1[ri_69], x_O_9[ri_69], r_9[ri_69] with r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69] in find at 493 + - Replaced (x1_1 = x_O_8[ri_70, ri_71]) with ((pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 534 + - Replaced defined condition x_O_8[ri_70, ri_71], r_8[ri_70, ri_71] with r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71] in find at 493 + - Replaced (x1_1 = x_O_7[ri_72, ri_73]) with ((pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 516 + - Replaced defined condition x_O_7[ri_72, ri_73], r_7[ri_72, ri_73] with r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73] in find at 493 + - Replaced (x1_1 = x_O_6[ri_74, ri_75]) with ((pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 498 + - Replaced defined condition x_O_6[ri_74, ri_75], r_6[ri_74, ri_75] with r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75] in find at 493 + - Replaced (x_O_8 = x1_1[ri_77]) with ((pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77])) at 444 + - Replaced defined condition x1_1[ri_77], x_O_9[ri_77], r_9[ri_77] with r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77] in find at 418 + - Replaced (x_O_8 = x_O_8[ri_78, ri_79]) with ((pk_S_1 = pk_S_1[ri_78, ri_79]) && (i_1 = ri_79) && (pkE_10 = pkE_10[ri_78, ri_79])) at 423 + - In branch 1 of find at 418, substituting u_79 with i_1 + - Replaced defined condition x_O_8[ri_78, ri_79], r_8[ri_78, ri_79] with r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78] in find at 418 + - Replaced (x_O_6 = x1_1[ri_85]) with ((pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85])) at 228 + - Replaced defined condition x1_1[ri_85], x_O_9[ri_85], r_9[ri_85] with r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85] in find at 224 + - Replaced (x_O_7 = x1_1[ri_93]) with ((pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93])) at 107 + - Replaced defined condition x1_1[ri_93], x_O_9[ri_93], r_9[ri_93] with r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93] in find at 103 +yields + +Game 66 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); + find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + zz_16: eae_output_t <- r_9[u_93]; + return(AuthEncap_tuple(r_9[u_93], enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); + find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && {605}((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_10 = pkE_10[ri_78])) then + u_79 <= N <- i_1; + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- cst_eae_input_t; + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- cst_eae_input_t; + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying simplify + - Simplification pass + - Replaced ((pk_S_1 = pk_S_1[ri_78]) && (i_1 = i_1) && (pkE_10 = pkE_10[ri_78])) with ((pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78])) at 605 +yields + +Game 67 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_14: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_9: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_15); + info_9: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_14); + x_O_7: eae_input_t <- eae_input(lbytes_empty, key_9, info_9); + find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + zz_16: eae_output_t <- r_9[u_93]; + return(AuthEncap_tuple(r_9[u_93], enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + kemContext_15: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_3); + key_10: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_16); + info_10: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_15); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_10, info_10); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + kemContext_8: GGG_t <- concatContext(pkE_10, pkR_3, pk_S_1); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + x_O_8: eae_input_t <- eae_input(lbytes_empty, key_3, info_3); + find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then + u_79 <= N <- i_1; + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_9: eae_input_t <- cst_eae_input_t; + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + x_O_10: eae_input_t <- cst_eae_input_t; + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying move all binders + - Move assignment to x_O_10 + - Move assignment to x_O_9 + - Move assignment to x_O_8 + - Move assignment to info_3 + - Move assignment to key_3 + - Move assignment to kemContext_8 + - Move assignment to x_O_6 + - Move assignment to info_10 + - Move assignment to key_10 + - Move assignment to kemContext_15 + - Move assignment to x_O_7 + - Move assignment to info_9 + - Move assignment to key_9 + - Move assignment to kemContext_14 +yields + +Game 68 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + dh_15: GG_t <- concatDH(exp(g, mult(sk_1[i1_12], z_4)), exp(g, mult(sk_1[i1_12], sk_1))); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + zz_16: eae_output_t <- r_9[u_93]; + return(AuthEncap_tuple(r_9[u_93], enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + dh_16: GG_t <- concatDH(exp(pk_R_1, z_5), exp(pk_R_1, sk_1)); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + dh_8: GG_t <- concatDH(exp(pkE_10, sk_1), exp(pk_S_1, sk_1)); + pkR_3: G_t <- exp(g, sk_1); + find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then + u_79 <= N <- i_1; + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying remove assignments of findcond + - Remove assignments on dh_8 (definition removed, all usages removed) + - Remove assignments on u_79 (definition removed, all usages removed) + - Remove assignments on dh_16 (definition removed, all usages removed) + - Remove assignments on dh_15 (definition removed, all usages removed) +yields + +Game 69 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (exp(g, mult(sk_1[i1_12], sk_1)) = dh2_1[ri_93]) && (exp(g, mult(sk_1[i1_12], z_4)) = dh1_1[ri_93]) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + zz_16: eae_output_t <- r_9[u_93]; + return(AuthEncap_tuple(r_9[u_93], enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (exp(pk_R_1, sk_1) = dh2_1[ri_85]) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + pkR_3: G_t <- exp(g, sk_1); + find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (exp(pk_S_1, sk_1) = dh2_1[ri_77]) && (exp(pkE_10, sk_1) = dh1_1[ri_77]) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], z_4[ri_72, ri_73], sk_1[ri_73], sk_1[i1_12[ri_72, ri_73]], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], sk_1[ri_73]))) && (dh1_1 = exp(g, mult(sk_1[i1_12[ri_72, ri_73]], z_4[ri_72, ri_73]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying equivalence gdh(exp) [probability Adv_sqGDH(time_2, 5 * Qh) + (N + #OAEncap) * PDistRerandom + (2 * #OAEncap^2 + N^2) * PCollKey] + - Equivalence gdh(exp) with variables: sk_1 -> a, z_4 -> a +yields + +Game 70 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (m_28: G_t <- pk_R_1; (m_28 = exp(g, sk_1[i1_13]))) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + {49} find [unique] u_93 = ri_93 <= Qh suchthat defined(r_9[ri_93], salt_1[ri_93], protocol1_1[ri_93], suite1_1[ri_93], label1_1[ri_93], dh1_1[ri_93], dh2_1[ri_93], l_1[ri_93], protocol2_1[ri_93], suite2_1[ri_93], label2_1[ri_93], pkE''[ri_93], pkR''[ri_93], pkS''[ri_93]) && (pkS_3 = pkS''[ri_93]) && (pk_R_1 = pkR''[ri_93]) && (pkE_7 = pkE''[ri_93]) && (label_shared_secret = label2_1[ri_93]) && (suite_id = suite2_1[ri_93]) && (RFCXXXX = protocol2_1[ri_93]) && (I2OSP2(Nsecret) = l_1[ri_93]) && (m_29: G_t <- dh2_1[ri_93]; false) && (m_17: G_t <- dh1_1[ri_93]; false) && (label_eae_prk = label1_1[ri_93]) && (suite_id = suite1_1[ri_93]) && (RFCXXXX = protocol1_1[ri_93]) && (lbytes_empty = salt_1[ri_93]) then + zz_16: eae_output_t <- r_9[u_93]; + return(AuthEncap_tuple(r_9[u_93], enc_9)) + else + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (m_27: G_t <- dh2_1[ri_85]; m'_13: G_t <- pk_R_1; (m_27 = exp(m'_13, sk_1))) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (m_21: G_t <- pk_S_1; (m_21 = exp(g, sk_1[i1_2]))) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (m_20: G_t <- pk_S_1; (m_20 = exp(g, sk_1[i1]))) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + pkR_3: G_t <- exp(g, sk_1); + find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (m_19: G_t <- dh2_1[ri_77]; m'_9: G_t <- pk_S_1; (m_19 = exp(m'_9, sk_1))) && (m_18: G_t <- dh1_1[ri_77]; m'_8: G_t <- pkE_10; (m_18 = exp(m'_8, sk_1))) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + {615} find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_22: G_t <- dh2_1; m'_10: G_t <- pk_R_1[ri_74, ri_75]; (m_22 = exp(m'_10, sk_1[ri_75]))) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_72 = ri_72 <= Qeperuser, u_73 = ri_73 <= N suchthat defined(r_7[ri_72, ri_73], pkE_7[ri_72, ri_73], pk_R_1[ri_72, ri_73], pkS_3[ri_72, ri_73]) && (pkS'' = pkS_3[ri_72, ri_73]) && (pkR'' = pk_R_1[ri_72, ri_73]) && (pkE'' = pkE_7[ri_72, ri_73]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_24: G_t <- dh2_1; false) && (m_23: G_t <- dh1_1; false) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_7[u_72, u_73]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_26: G_t <- dh2_1; m'_12: G_t <- pk_S_1[ri_70, ri_71]; (m_26 = exp(m'_12, sk_1[ri_71]))) && (m_25: G_t <- dh1_1; m'_11: G_t <- pkE_10[ri_70, ri_71]; (m_25 = exp(m'_11, sk_1[ri_71]))) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying expand + - Expand if/find/let + - Remove branch 2 in find at 615 + - Remove branch 1 in find at 49 + - Find at 49 removed (else branch kept if any) +yields + +Game 71 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (m_28: G_t <- pk_R_1; (m_28 = exp(g, sk_1[i1_13]))) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + r_7 <-R eae_output_t; + zz_16: eae_output_t <- r_7; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (m_27: G_t <- dh2_1[ri_85]; m'_13: G_t <- pk_R_1; ((pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (m_27 = exp(m'_13, sk_1)) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]))) then + return(AuthEncap_tuple(r_9[u_85], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(zz_16[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (m_21: G_t <- pk_S_1; ((i_1 = i1_12[ie1, i1_2]) && (m_21 = exp(g, sk_1[i1_2])) && (pkE_7[ie1, i1_2] = pkE_10))) then + return(AuthDecap_Some(zz_16[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (m_20: G_t <- pk_S_1; (m_20 = exp(g, sk_1[i1]))) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + pkR_3: G_t <- exp(g, sk_1); + find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (m_19: G_t <- dh2_1[ri_77]; m'_9: G_t <- pk_S_1; m_18: G_t <- dh1_1[ri_77]; m'_8: G_t <- pkE_10; ((pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (m_19 = exp(m'_9, sk_1)) && (m_18 = exp(m'_8, sk_1)) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]))) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (m_22: G_t <- dh2_1; m'_10: G_t <- pk_R_1[ri_74, ri_75]; ((pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_22 = exp(m'_10, sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty))) then + return(r_6[u_74, u_75]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (m_26: G_t <- dh2_1; m'_12: G_t <- pk_S_1[ri_70, ri_71]; m_25: G_t <- dh1_1; m'_11: G_t <- pkE_10[ri_70, ri_71]; ((pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (m_26 = exp(m'_12, sk_1[ri_71])) && (m_25 = exp(m'_11, sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty))) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Applying remove assignments of findcond + - Remove assignments on m_22 (definition removed, all usages removed) + - Remove assignments on m'_10 (definition removed, all usages removed) + - Remove assignments on m_26 (definition removed, all usages removed) + - Remove assignments on m'_12 (definition removed, all usages removed) + - Remove assignments on m_25 (definition removed, all usages removed) + - Remove assignments on m'_11 (definition removed, all usages removed) + - Remove assignments on m_19 (definition removed, all usages removed) + - Remove assignments on m'_9 (definition removed, all usages removed) + - Remove assignments on m_18 (definition removed, all usages removed) + - Remove assignments on m'_8 (definition removed, all usages removed) + - Remove assignments on m_20 (definition removed, all usages removed) + - Remove assignments on m_21 (definition removed, all usages removed) + - Remove assignments on m_27 (definition removed, all usages removed) + - Remove assignments on m'_13 (definition removed, all usages removed) + - Remove assignments on zz_16 (definition removed, all usages removed) + - Remove assignments on m_28 (definition removed, all usages removed) +yields + +Game 72 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_12 = i1_13 <= N suchthat defined(sk_1[i1_13]) && (pk_R_1 = exp(g, sk_1[i1_13])) then + z_4 <-R Z_t; + pkE_7: G_t <- exp(g, z_4); + enc_9: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + r_7 <-R eae_output_t; + return(AuthEncap_tuple(r_7, enc_9)) + else + z_5 <-R Z_t; + pkE_7: G_t <- exp(g, z_5); + enc_10: bitstring <- Serialize(pkE_7); + pkS_3: G_t <- exp(g, sk_1); + find [unique] u_85 = ri_85 <= Qh suchthat defined(r_9[ri_85], salt_1[ri_85], protocol1_1[ri_85], suite1_1[ri_85], label1_1[ri_85], dh1_1[ri_85], dh2_1[ri_85], l_1[ri_85], protocol2_1[ri_85], suite2_1[ri_85], label2_1[ri_85], pkE''[ri_85], pkR''[ri_85], pkS''[ri_85]) && (pkS_3 = pkS''[ri_85]) && (pk_R_1 = pkR''[ri_85]) && (pkE_7 = pkE''[ri_85]) && (label_shared_secret = label2_1[ri_85]) && (suite_id = suite2_1[ri_85]) && (RFCXXXX = protocol2_1[ri_85]) && (I2OSP2(Nsecret) = l_1[ri_85]) && (dh2_1[ri_85] = exp(pk_R_1, sk_1)) && (exp(pk_R_1, z_5) = dh1_1[ri_85]) && (label_eae_prk = label1_1[ri_85]) && (suite_id = suite1_1[ri_85]) && (RFCXXXX = protocol1_1[ri_85]) && (lbytes_empty = salt_1[ri_85]) then + return(AuthEncap_tuple(r_9[u_85], enc_10)) + else + r_6 <-R eae_output_t; + return(AuthEncap_tuple(r_6, enc_10)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + let Serialize(pkE_10: G_t) = cd in + find ie1_1 = ie1 <= Qeperuser, i1_1 = i1_2 <= N suchthat defined(r_7[ie1, i1_2], pkE_7[ie1, i1_2], sk_1[i1_2], i1_12[ie1, i1_2]) && (i_1 = i1_12[ie1, i1_2]) && (pk_S_1 = exp(g, sk_1[i1_2])) && (pkE_7[ie1, i1_2] = pkE_10) then + return(AuthDecap_Some(r_7[ie1_1, i1_1])) + orfind id1_1 = id1 <= Qdperuser suchthat defined(pkE_10[id1], k'[id1], pk_S_1[id1]) && (pk_S_1[id1] = pk_S_1) && (pkE_10[id1] = pkE_10) then + return(AuthDecap_Some(k'[id1_1])) + else + find i1_1 = i1 <= N suchthat defined(sk_1[i1]) && (pk_S_1 = exp(g, sk_1[i1])) then + k' <-R eae_output_t; + return(AuthDecap_Some(k')) + else + pkR_3: G_t <- exp(g, sk_1); + find [unique] u_78 = ri_78 <= Qdperuser suchthat defined(r_8[ri_78], pkE_10[ri_78], pk_S_1[ri_78]) && (pk_S_1 = pk_S_1[ri_78]) && (pkE_10 = pkE_10[ri_78]) then + return(AuthDecap_Some(r_8[u_78])) + orfind u_77 = ri_77 <= Qh suchthat defined(r_9[ri_77], salt_1[ri_77], protocol1_1[ri_77], suite1_1[ri_77], label1_1[ri_77], dh1_1[ri_77], dh2_1[ri_77], l_1[ri_77], protocol2_1[ri_77], suite2_1[ri_77], label2_1[ri_77], pkE''[ri_77], pkR''[ri_77], pkS''[ri_77]) && (pk_S_1 = pkS''[ri_77]) && (pkR_3 = pkR''[ri_77]) && (pkE_10 = pkE''[ri_77]) && (label_shared_secret = label2_1[ri_77]) && (suite_id = suite2_1[ri_77]) && (RFCXXXX = protocol2_1[ri_77]) && (I2OSP2(Nsecret) = l_1[ri_77]) && (dh2_1[ri_77] = exp(pk_S_1, sk_1)) && (dh1_1[ri_77] = exp(pkE_10, sk_1)) && (label_eae_prk = label1_1[ri_77]) && (suite_id = suite1_1[ri_77]) && (RFCXXXX = protocol1_1[ri_77]) && (lbytes_empty = salt_1[ri_77]) then + return(AuthDecap_Some(r_9[u_77])) + else + r_8 <-R eae_output_t; + return(AuthDecap_Some(r_8)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_74 = ri_74 <= Qeperuser, u_75 = ri_75 <= N suchthat defined(r_6[ri_74, ri_75], z_5[ri_74, ri_75], sk_1[ri_75], pkE_7[ri_74, ri_75], pk_R_1[ri_74, ri_75], pkS_3[ri_74, ri_75]) && (pkS'' = pkS_3[ri_74, ri_75]) && (pkR'' = pk_R_1[ri_74, ri_75]) && (pkE'' = pkE_7[ri_74, ri_75]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_74, ri_75], sk_1[ri_75])) && (dh1_1 = exp(pk_R_1[ri_74, ri_75], z_5[ri_74, ri_75])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_74, u_75]) + orfind u_70 = ri_70 <= Qdperuser, u_71 = ri_71 <= N suchthat defined(r_8[ri_70, ri_71], sk_1[ri_71], pkE_10[ri_70, ri_71], pkR_3[ri_70, ri_71], pk_S_1[ri_70, ri_71]) && (pkS'' = pk_S_1[ri_70, ri_71]) && (pkR'' = pkR_3[ri_70, ri_71]) && (pkE'' = pkE_10[ri_70, ri_71]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_70, ri_71], sk_1[ri_71])) && (dh1_1 = exp(pkE_10[ri_70, ri_71], sk_1[ri_71])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_8[u_70, u_71]) + orfind u_69 = ri_69 <= Qh suchthat defined(r_9[ri_69], salt_1[ri_69], protocol1_1[ri_69], suite1_1[ri_69], label1_1[ri_69], dh1_1[ri_69], dh2_1[ri_69], l_1[ri_69], protocol2_1[ri_69], suite2_1[ri_69], label2_1[ri_69], pkE''[ri_69], pkR''[ri_69], pkS''[ri_69]) && (pkS'' = pkS''[ri_69]) && (pkR'' = pkR''[ri_69]) && (pkE'' = pkE''[ri_69]) && (label2_1 = label2_1[ri_69]) && (suite2_1 = suite2_1[ri_69]) && (protocol2_1 = protocol2_1[ri_69]) && (l_1 = l_1[ri_69]) && (dh2_1 = dh2_1[ri_69]) && (dh1_1 = dh1_1[ri_69]) && (label1_1 = label1_1[ri_69]) && (suite1_1 = suite1_1[ri_69]) && (protocol1_1 = protocol1_1[ri_69]) && (salt_1 = salt_1[ri_69]) then + return(r_9[u_69]) + else + r_9 <-R eae_output_t; + return(r_9) + else + find [unique] u_60 = ri_60 <= Qh suchthat defined(r_10[ri_60], x1_1[ri_60]) && (x1_1 = x1_1[ri_60]) then + return(r_10[u_60]) + else + r_10 <-R eae_output_t; + return(r_10) + )) + + +Proved indistinguishability between game 72 and game 1 +Game 72 is the same as game 40. +Adv[Game 1: indistinguishability from game 40] <= Adv_sqGDH(time_1, 7 * Qh) + (#OAEncap + N) * PDistRerandom + (2 * #OADecap * N + #OAEncap * #OADecap + 8 * #OAEncap^2 + 2 * #OAEncap * N + 5 * N^2) * PCollKey + Adv[Game 40: indistinguishability from game 40] +Adv[Game 40: indistinguishability from game 40] <= 0 +Adv[Game 41: indistinguishability from game 72] <= Adv_sqGDH(time_2, 5 * Qh) + (#OAEncap + N) * PDistRerandom + (2 * #OADecap * N + #OAEncap * #OADecap + 8 * #OAEncap^2 + 2 * #OAEncap * N + 7 * N^2) * PCollKey + Adv[Game 72: indistinguishability from game 72] +Adv[Game 72: indistinguishability from game 72] <= 0 +RESULT Proved indistinguishability between game 41 and game 1 up to probability Adv_sqGDH(time_2, 5 * Qh) + Adv_sqGDH(time_1, 7 * Qh) + (2 * #OAEncap + 2 * N) * PDistRerandom + (4 * #OADecap * N + 2 * #OAEncap * #OADecap + 16 * #OAEncap^2 + 4 * #OAEncap * N + 12 * N^2) * PCollKey +RESULT time_1 = #OAEncap * time(AuthEncap_tuple, maxlength(game 37: enc_7)) + #OAEncap * time(Serialize) + #OAEncap * time(AuthEncap_tuple, maxlength(game 37: enc_8)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (3 * Qh * #OAEncap + 3 * Qh * #OADecap) * time(I2OSP2) + (2 * Qh * #OAEncap + 1 + N + 2 * #OAEncap) * time(exp) + time +RESULT time_2 = #OAEncap * time(AuthEncap_tuple, maxlength(game 69: enc_9)) + #OAEncap * time(Serialize) + #OAEncap * time(AuthEncap_tuple, maxlength(game 69: enc_10)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (3 * Qh * #OAEncap + 2 * Qh * #OADecap) * time(I2OSP2) + (2 * Qh * #OAEncap + 1 + N + 2 * #OAEncap) * time(exp) + time +All queries proved. diff --git a/dhkem.auth.outsider-cca-lr.m4.ocv b/dhkem.auth.outsider-cca-lr.m4.ocv index e485a32..edb2915 100644 --- a/dhkem.auth.outsider-cca-lr.m4.ocv +++ b/dhkem.auth.outsider-cca-lr.m4.ocv @@ -1,5 +1,8 @@ proof { - allowed_collisions pest150; + allowed_collisions default^4/large; + (* We allow eliminating collisions with probability in power 4 of + N, Qeperuser, Qdperuser, Qcperuser times PCollKey, to allow q^2 * PCollKey, + where q = N * (Qeperuser + Qdperuser + Qcperuser) *) (* start on the left side *) out_game "l1.out.cv"; (* Let appear this case distinction in the Encap oracle, @@ -107,7 +110,7 @@ expand GDH_RSR_minimal( include(`common.dhkem.ocv') -param N, Qeperuser, Qdperuser [size30]. +param N, Qeperuser, Qdperuser. equivalence Ostart() := diff --git a/dhkem.auth.outsider-cca-lr.ocv b/dhkem.auth.outsider-cca-lr.ocv index f114d53..5f05e3d 100644 --- a/dhkem.auth.outsider-cca-lr.ocv +++ b/dhkem.auth.outsider-cca-lr.ocv @@ -1,5 +1,8 @@ proof { - allowed_collisions pest150; + allowed_collisions default^4/large; + (* We allow eliminating collisions with probability in power 4 of + N, Qeperuser, Qdperuser, Qcperuser times PCollKey, to allow q^2 * PCollKey, + where q = N * (Qeperuser + Qdperuser + Qcperuser) *) (* start on the left side *) out_game "l1.out.cv"; (* Let appear this case distinction in the Encap oracle, @@ -89,8 +92,8 @@ proof { type G_t [bounded]. fun Serialize(G_t): bitstring [data]. -type Z_t [bounded,pcoll250,nonuniform]. -proba PCollKey [pest250]. +type Z_t [bounded,nonuniform]. +proba PCollKey. expand DH_proba_collision_minimal( G_t, @@ -273,7 +276,7 @@ letfun AuthDecap(key_extr: hash_key_t, enc: bitstring, skR: Z_t, pkS: G_t) = -param N, Qeperuser, Qdperuser [size30]. +param N, Qeperuser, Qdperuser. equivalence Ostart() := diff --git a/dhkem.auth.outsider-cca-lr.proof b/dhkem.auth.outsider-cca-lr.proof index a0e9031..0d9a521 100644 --- a/dhkem.auth.outsider-cca-lr.proof +++ b/dhkem.auth.outsider-cca-lr.proof @@ -1,3449 +1,3350 @@ -Initial state -Game 1 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - return((skS: Z_t <- sk; {23}let (skE: Z_t, pkE_2: G_t) = (z <-R Z_t; (z, exp(g, z))) in dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); enc_1: bitstring <- Serialize(pkE_2); pkS: G_t <- exp(g, skS); kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); zz_2: eae_output_t <- (key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info))); AuthEncap_tuple(zz_2, enc_1) else AuthEncap_None)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - return((skR: Z_t <- sk; let Serialize(pkE_3: G_t) = enc_2 in dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); pkR_1: G_t <- exp(g, skR); kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); zz_3: eae_output_t <- (key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1))); AuthDecap_Some(zz_3) else AuthDecap_None)) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern (skE: Z_t, pkE_2: G_t) (tuple expanded) at 23 - - Remove else branch of let at 23 -yields - -Game 2 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - skS: Z_t <- sk; - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - skE: Z_t <- z; - dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, skS); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - skR: Z_t <- sk; - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); - pkR_1: G_t <- exp(g, skR); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR (definition removed, all usages removed) - - Remove assignments on skS (definition removed, all usages removed) - - Remove assignments on skE (definition removed, all usages removed) -yields - -Game 3 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - {18} z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying insert instruction find i1 <= N suchthat - defined(sk[i1]) - && pk_R = exp(g, sk[i1]) then at occurrence 18 -yields - -Game 4 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - else - z <-R Z_t; - pkE_2: G_t <- exp(g, z); - dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename z - - Rename variable z into z_6, z_5 -yields - -Game 5 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_2: G_t <- exp(g, z_5); - dh_2: GG_t <- {36}concatDH(exp(pk_R, z_5), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - else - z_6 <-R Z_t; - pkE_2: G_t <- exp(g, z_6); - dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify - - Simplification pass - - Replaced concatDH(exp(pk_R, z_5), exp(pk_R, sk)) with concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))) at 36 -yields - -Game 6 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_2: G_t <- exp(g, z_5); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - else - z_6 <-R Z_t; - pkE_2: G_t <- exp(g, z_6); - dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_1: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_1)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename enc_1 - - Rename variable enc_1 into enc_9, enc_8 -yields - -Game 7 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_2: G_t <- exp(g, z_5); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_8)) - else - z_6 <-R Z_t; - pkE_2: G_t <- exp(g, z_6); - dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_2, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename zz_2 - - Rename variable zz_2 into zz_11, zz_10 -yields - -Game 8 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_2: G_t <- exp(g, z_5); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_2: G_t <- exp(g, z_6); - dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_2); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename pkE_2 - - Rename variable pkE_2 into pkE_11, pkE_10 -yields - -Game 9 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_10, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_11, pk_R, pkS); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename pkS - - Rename variable pkS into pkS_5, pkS_4 -yields - -Game 10 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename dh_2 - - Rename variable dh_2 into dh_11, dh_10 -yields - -Game 11 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_2: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename kemContext_2 - - Rename variable kemContext_2 into kemContext_11, kemContext_10 -yields - -Game 12 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename key - - Rename variable key into key_6, key_5 -yields - -Game 13 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying SA rename info - - Rename variable info into info_6, info_5 -yields - -Game 14 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - {218} let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying insert instruction find ie1 <= Qeperuser, i1 <= N suchthat - defined(sk[i1], pk_R[ie1, i1], zz_10[ie1, i1], z_5[ie1, i1], enc_8[ie1, i1]) - && exp(g, sk) = pk_R[ie1, i1] - && pk_S = exp(g, sk[i1]) - && enc_8[ie1, i1] = enc_2 then at occurrence 218 -yields - -Game 15 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(sk[i1_9], pk_R[ie1_3, i1_9], zz_10[ie1_3, i1_9], z_5[ie1_3, i1_9], enc_8[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some({319}zz_3)) - else - return(AuthDecap_None) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying replace term at occurrence 319 with zz_10[ie1_2, i1_8] [probability N * N * PCollKey] -yields - -Game 16 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - return(AuthDecap_None) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on zz_3 (definition removed, all usages removed) - - Remove assignments on key_1 (definition removed, all usages removed) - - Remove assignments on info_1 (definition removed, all usages removed) - - Remove assignments on dh_3 (definition removed, all usages removed) - - Remove assignments on kemContext_3 (definition removed, all usages removed) - - Remove assignments on pkR_1 (definition removed, all usages removed) -yields - -Game 17 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - {218} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && {226}((exp(g, sk) = pk_R[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2)) then - {251} let Serialize(pkE_3: G_t) = {252}enc_2 in - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - return(AuthDecap_None) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying simplify [probability N * N * PCollKey] - - Simplification pass - - Replaced ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2)) with ((i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2)) at 226 - - Replaced enc_2 with Serialize(pkE_10[ie1_2, i1_8]) at 252 - - Remove else branch of let at 251 - - Simplify pattern Serialize(pkE_3: G_t) (tuple expanded) at 251 - - Replaced defined condition zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] with zz_10[ie1_3, i1_9], pkE_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9] in find at 218 -yields - -Game 18 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], pkE_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - pkE_3: G_t <- pkE_10[ie1_2, i1_8]; - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on pkE_3 (definition removed, all usages removed) -yields - -Game 19 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], pkE_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - {353} return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying insert instruction let eae_input( - salt: extract_salt_t, - concatExtract( - protocol1: label_protocol_t, - suite1: suite_id_t, - label1: label_extract_t, - concatDH(dh1: G_t, dh2: G_t)), - concatExpand( - l: two_byte_t, - protocol2: label_protocol_t, - suite2: suite_id_t, - label2: label_expand_t, - concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in at occurrence 353 -yields - -Game 20 is - Ostart() := - key_extr_3 <-R hash_key_t; - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], pkE_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return(ExtractAndExpand_inner(key_extr_3, x1)) - else - return(ExtractAndExpand_inner(key_extr_3, x1)) - )) - - -Applying equivalence rom(ExtractAndExpand_inner) - - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_3 -> hk -yields - -Game 21 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {104}find [unique] u_38 = ri_38 <= Qeperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && (x_O_1 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_33 = ri_33 <= Qh suchthat defined(x_O_3[ri_33], r_3[ri_33]) && (x_O_1 = x_O_3[ri_33]) then r_3[u_33] orfind u_32 = ri_32 <= Qh suchthat defined(x_O_4[ri_32], r_4[ri_32]) && {173}(x_O_1 = x_O_4[ri_32]) then r_4[u_32] else r_1 <-R eae_output_t; r_1); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {276}find [unique] u_30 = ri_30 <= Qeperuser, u_31 = ri_31 <= N suchthat defined(x_O[ri_30, ri_31], r[ri_30, ri_31]) && (x_O = x_O[ri_30, ri_31]) then r[u_30, u_31] orfind u_28 = ri_28 <= Qeperuser, u_29 = ri_29 <= N suchthat defined(x_O_1[ri_28, ri_29], r_1[ri_28, ri_29]) && (x_O = x_O_1[ri_28, ri_29]) then r_1[u_28, u_29] orfind u_26 = ri_26 <= Qdperuser, u_27 = ri_27 <= N suchthat defined(x_O_2[ri_26, ri_27], r_2[ri_26, ri_27]) && (x_O = x_O_2[ri_26, ri_27]) then r_2[u_26, u_27] orfind u_25 = ri_25 <= Qh suchthat defined(x_O_3[ri_25], r_3[ri_25]) && (x_O = x_O_3[ri_25]) then r_3[u_25] orfind u_24 = ri_24 <= Qh suchthat defined(x_O_4[ri_24], r_4[ri_24]) && {345}(x_O = x_O_4[ri_24]) then r_4[u_24] else r <-R eae_output_t; r); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); {484}find [unique] u_22 = ri_22 <= Qeperuser, u_23 = ri_23 <= N suchthat defined(x_O[ri_22, ri_23], r[ri_22, ri_23]) && (x_O_2 = x_O[ri_22, ri_23]) then r[u_22, u_23] orfind u_20 = ri_20 <= Qeperuser, u_21 = ri_21 <= N suchthat defined(x_O_1[ri_20, ri_21], r_1[ri_20, ri_21]) && (x_O_2 = x_O_1[ri_20, ri_21]) then r_1[u_20, u_21] orfind u_18 = ri_18 <= Qdperuser, u_19 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && (x_O_2 = x_O_2[ri_18, ri_19]) then r_2[u_18, u_19] orfind u_17 = ri_17 <= Qh suchthat defined(x_O_3[ri_17], r_3[ri_17]) && (x_O_2 = x_O_3[ri_17]) then r_3[u_17] orfind u_16 = ri_16 <= Qh suchthat defined(x_O_4[ri_16], r_4[ri_16]) && {553}(x_O_2 = x_O_4[ri_16]) then r_4[u_16] else r_2 <-R eae_output_t; r_2); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return((x_O_3: eae_input_t <- x1; {604}find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && (x_O_3 = x_O[ri_14, ri_15]) then r[u_14, u_15] orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && (x_O_3 = x_O_1[ri_12, ri_13]) then r_1[u_12, u_13] orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && (x_O_3 = x_O_2[ri_10, ri_11]) then r_2[u_10, u_11] orfind u_9 = ri_9 <= Qh suchthat defined(x_O_3[ri_9], r_3[ri_9]) && (x_O_3 = x_O_3[ri_9]) then r_3[u_9] orfind u_8 = ri_8 <= Qh suchthat defined(x_O_4[ri_8], r_4[ri_8]) && {662}(x_O_3 = x_O_4[ri_8]) then r_4[u_8] else r_3 <-R eae_output_t; r_3)) - else - return((x_O_4: eae_input_t <- x1; {679}find [unique] u_6 = ri_6 <= Qeperuser, u_7 = ri_7 <= N suchthat defined(x_O[ri_6, ri_7], r[ri_6, ri_7]) && {684}(x_O_4 = x_O[ri_6, ri_7]) then r[u_6, u_7] orfind u_4 = ri_4 <= Qeperuser, u_5 = ri_5 <= N suchthat defined(x_O_1[ri_4, ri_5], r_1[ri_4, ri_5]) && {699}(x_O_4 = x_O_1[ri_4, ri_5]) then r_1[u_4, u_5] orfind u_2 = ri_2 <= Qdperuser, u_3 = ri_3 <= N suchthat defined(x_O_2[ri_2, ri_3], r_2[ri_2, ri_3]) && {714}(x_O_4 = x_O_2[ri_2, ri_3]) then r_2[u_2, u_3] orfind u_1 = ri_1 <= Qh suchthat defined(x_O_3[ri_1], r_3[ri_1]) && {727}(x_O_4 = x_O_3[ri_1]) then r_3[u_1] orfind u = ri <= Qh suchthat defined(x_O_4[ri], r_4[ri]) && (x_O_4 = x_O_4[ri]) then r_4[u] else r_4 <-R eae_output_t; r_4)) - )) - - -Applying simplify (non-expanded game) [probability N * N * PCollKey] - - Simplification pass - - Replaced (x_O_1 = x_O_4[ri_32]) with false at 173 - - Remove branch 5 in find at 104 - - Replaced (x_O = x_O_4[ri_24]) with false at 345 - - Remove branch 5 in find at 276 - - Replaced (x_O_2 = x_O_4[ri_16]) with false at 553 - - Remove branch 5 in find at 484 - - Replaced (x_O_3 = x_O_4[ri_8]) with false at 662 - - Remove branch 5 in find at 604 - - Replaced (x_O_4 = x_O_3[ri_1]) with false at 727 - - Remove branch 4 in find at 679 - - Replaced (x_O_4 = x_O_2[ri_2, ri_3]) with false at 714 - - Remove branch 3 in find at 679 - - Replaced (x_O_4 = x_O_1[ri_4, ri_5]) with false at 699 - - Remove branch 2 in find at 679 - - Replaced (x_O_4 = x_O[ri_6, ri_7]) with false at 684 - - Remove branch 1 in find at 679 -yields - -Game 22 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - zz_10: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {104}find [unique] u_38 = ri_38 <= Qeperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && (x_O_1 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_33 = ri_33 <= Qh suchthat defined(x_O_3[ri_33], r_3[ri_33]) && (x_O_1 = x_O_3[ri_33]) then r_3[u_33] else r_1 <-R eae_output_t; r_1); - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - zz_11: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {264}find [unique] u_30 = ri_30 <= Qeperuser, u_31 = ri_31 <= N suchthat defined(x_O[ri_30, ri_31], r[ri_30, ri_31]) && (x_O = x_O[ri_30, ri_31]) then r[u_30, u_31] orfind u_28 = ri_28 <= Qeperuser, u_29 = ri_29 <= N suchthat defined(x_O_1[ri_28, ri_29], r_1[ri_28, ri_29]) && (x_O = x_O_1[ri_28, ri_29]) then r_1[u_28, u_29] orfind u_26 = ri_26 <= Qdperuser, u_27 = ri_27 <= N suchthat defined(x_O_2[ri_26, ri_27], r_2[ri_26, ri_27]) && (x_O = x_O_2[ri_26, ri_27]) then r_2[u_26, u_27] orfind u_25 = ri_25 <= Qh suchthat defined(x_O_3[ri_25], r_3[ri_25]) && (x_O = x_O_3[ri_25]) then r_3[u_25] else r <-R eae_output_t; r); - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - zz_3: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); {460}find [unique] u_22 = ri_22 <= Qeperuser, u_23 = ri_23 <= N suchthat defined(x_O[ri_22, ri_23], r[ri_22, ri_23]) && (x_O_2 = x_O[ri_22, ri_23]) then r[u_22, u_23] orfind u_20 = ri_20 <= Qeperuser, u_21 = ri_21 <= N suchthat defined(x_O_1[ri_20, ri_21], r_1[ri_20, ri_21]) && (x_O_2 = x_O_1[ri_20, ri_21]) then r_1[u_20, u_21] orfind u_18 = ri_18 <= Qdperuser, u_19 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && (x_O_2 = x_O_2[ri_18, ri_19]) then r_2[u_18, u_19] orfind u_17 = ri_17 <= Qh suchthat defined(x_O_3[ri_17], r_3[ri_17]) && (x_O_2 = x_O_3[ri_17]) then r_3[u_17] else r_2 <-R eae_output_t; r_2); - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - return((x_O_3: eae_input_t <- x1; find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && (x_O_3 = x_O[ri_14, ri_15]) then r[u_14, u_15] orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && (x_O_3 = x_O_1[ri_12, ri_13]) then r_1[u_12, u_13] orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && (x_O_3 = x_O_2[ri_10, ri_11]) then r_2[u_10, u_11] orfind u_9 = ri_9 <= Qh suchthat defined(x_O_3[ri_9], r_3[ri_9]) && (x_O_3 = x_O_3[ri_9]) then r_3[u_9] else r_3 <-R eae_output_t; r_3)) - else - return((x_O_4: eae_input_t <- x1; find [unique] u = ri <= Qh suchthat defined(x_O_4[ri], r_4[ri]) && (x_O_4 = x_O_4[ri]) then r_4[u] else r_4 <-R eae_output_t; r_4)) - )) - - -Applying expand [probability (4 * #OAEncap * Qeperuser + #OAEncap * N + N * N) * PCollKey] - - Expand if/find/let - - Remove branch 1 in find at 460 - - Remove branch 3 in find at 264 - - Remove branch 2 in find at 264 - - Remove branch 1 in find at 264 - - Remove branch 2 in find at 104 - - Remove branch 1 in find at 104 -yields - -Game 23 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_1 = x_O_2[ri_34, ri_35]) then - zz_10: eae_output_t <- r_2[u_34, u_35]; - return(AuthEncap_tuple(zz_10, enc_8)) - orfind u_33 = ri_33 <= Qh suchthat defined(x_O_3[ri_33], r_3[ri_33]) && (x_O_1 = x_O_3[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(zz_10, enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(zz_10, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_25 = ri_25 <= Qh suchthat defined(x_O_3[ri_25], r_3[ri_25]) && (x_O = x_O_3[ri_25]) then - zz_11: eae_output_t <- r_3[u_25]; - return(AuthEncap_tuple(zz_11, enc_9)) - else - r <-R eae_output_t; - zz_11: eae_output_t <- r; - return(AuthEncap_tuple(zz_11, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); - find [unique] u_20 = ri_20 <= Qeperuser, u_21 = ri_21 <= N suchthat defined(x_O_1[ri_20, ri_21], r_1[ri_20, ri_21]) && (x_O_2 = x_O_1[ri_20, ri_21]) then - zz_3: eae_output_t <- r_1[u_20, u_21]; - return(AuthDecap_Some(zz_3)) - orfind u_18 = ri_18 <= Qdperuser, u_19 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && (x_O_2 = x_O_2[ri_18, ri_19]) then - zz_3: eae_output_t <- r_2[u_18, u_19]; - return(AuthDecap_Some(zz_3)) - orfind u_17 = ri_17 <= Qh suchthat defined(x_O_3[ri_17], r_3[ri_17]) && (x_O_2 = x_O_3[ri_17]) then - zz_3: eae_output_t <- r_3[u_17]; - return(AuthDecap_Some(zz_3)) - else - r_2 <-R eae_output_t; - zz_3: eae_output_t <- r_2; - return(AuthDecap_Some(zz_3)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_3: eae_input_t <- x1; - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && (x_O_3 = x_O[ri_14, ri_15]) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && (x_O_3 = x_O_1[ri_12, ri_13]) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && (x_O_3 = x_O_2[ri_10, ri_11]) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(x_O_3[ri_9], r_3[ri_9]) && (x_O_3 = x_O_3[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - x_O_4: eae_input_t <- x1; - find [unique] u = ri <= Qh suchthat defined(x_O_4[ri], r_4[ri]) && (x_O_4 = x_O_4[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_O_4 (definition point kept, all usages removed) - - Remove assignments on x_O_3 (definition point kept, all usages removed) - - Remove assignments on zz_3 (definition removed, all usages removed) - - Remove assignments on zz_3 (definition removed, all usages removed) - - Remove assignments on zz_3 (definition removed, all usages removed) - - Remove assignments on zz_3 (definition removed, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on zz_11 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition kept, array references kept) - - Remove assignments on zz_10 (definition kept, array references kept) - - Remove assignments on zz_10 (definition kept, array references kept) -yields - -Game 24 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - {103} find [unique] u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && {108}(x_O_1 = x_O_2[ri_34, ri_35]) then - zz_10: eae_output_t <- r_2[u_34, u_35]; - return(AuthEncap_tuple(r_2[u_34, u_35], enc_8)) - orfind u_33 = ri_33 <= Qh suchthat defined(x1[ri_33], x_O_3[ri_33], r_3[ri_33]) && {141}(x_O_1 = x1[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(r_3[u_33], enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - {258} find [unique] u_25 = ri_25 <= Qh suchthat defined(x1[ri_25], x_O_3[ri_25], r_3[ri_25]) && {262}(x_O = x1[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); - {404} find [unique] u_20 = ri_20 <= Qeperuser, u_21 = ri_21 <= N suchthat defined(x_O_1[ri_20, ri_21], r_1[ri_20, ri_21]) && {409}(x_O_2 = x_O_1[ri_20, ri_21]) then - return(AuthDecap_Some(r_1[u_20, u_21])) - orfind u_18 = ri_18 <= Qdperuser, u_19 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && {431}(x_O_2 = x_O_2[ri_18, ri_19]) then - return(AuthDecap_Some(r_2[u_18, u_19])) - orfind u_17 = ri_17 <= Qh suchthat defined(x1[ri_17], x_O_3[ri_17], r_3[ri_17]) && {452}(x_O_2 = x1[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_3: eae_input_t <- cst_eae_input_t; - {501} find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && {506}(x1 = x_O[ri_14, ri_15]) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && {524}(x1 = x_O_1[ri_12, ri_13]) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && {542}(x1 = x_O_2[ri_10, ri_11]) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(x1[ri_9], x_O_3[ri_9], r_3[ri_9]) && {559}(x1 = x1[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - x_O_4: eae_input_t <- cst_eae_input_t; - {579} find [unique] u = ri <= Qh suchthat defined(x1[ri], x_O_4[ri], r_4[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying simplify [probability 4 * N * N * PCollKey] - - Simplification pass - - Replaced defined condition x1[ri], x_O_4[ri], r_4[ri] with r_4[ri], x1[ri] in find at 579 - - Replaced (x1 = x1[ri_9]) with ((pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9])) at 559 - - Replaced defined condition x1[ri_9], x_O_3[ri_9], r_3[ri_9] with r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9] in find at 501 - - Replaced (x1 = x_O_2[ri_10, ri_11]) with ((pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 542 - - Replaced defined condition x_O_2[ri_10, ri_11], r_2[ri_10, ri_11] with r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11] in find at 501 - - Replaced (x1 = x_O_1[ri_12, ri_13]) with ((pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 524 - - Replaced defined condition x_O_1[ri_12, ri_13], r_1[ri_12, ri_13] with r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13] in find at 501 - - Replaced (x1 = x_O[ri_14, ri_15]) with ((pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 506 - - Replaced defined condition x_O[ri_14, ri_15], r[ri_14, ri_15] with r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15] in find at 501 - - Replaced (x_O_2 = x1[ri_17]) with ((pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17])) at 452 - - Replaced defined condition x1[ri_17], x_O_3[ri_17], r_3[ri_17] with r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17] in find at 404 - - Replaced (x_O_2 = x_O_2[ri_18, ri_19]) with ((pk_S = pk_S[ri_18, ri_19]) && (i = ri_19) && (pkE_3 = pkE_3[ri_18, ri_19])) at 431 - - In branch 2 of find at 404, substituting u_19 with i - - Replaced defined condition x_O_2[ri_18, ri_19], r_2[ri_18, ri_19] with r_2[ri_18], pkE_3[ri_18], pk_S[ri_18] in find at 404 - - Replaced (x_O_2 = x_O_1[ri_20, ri_21]) with ((pk_S = pkS_4[ri_20, ri_21]) && (i = i1_6[ri_20, ri_21]) && (pkE_3 = pkE_10[ri_20, ri_21])) at 409 - - Remove branch 1 in find at 404 - - Replaced (x_O = x1[ri_25]) with ((pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25])) at 262 - - Replaced defined condition x1[ri_25], x_O_3[ri_25], r_3[ri_25] with r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25] in find at 258 - - Replaced (x_O_1 = x1[ri_33]) with ((pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33])) at 141 - - Replaced defined condition x1[ri_33], x_O_3[ri_33], r_3[ri_33] with r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33] in find at 103 - - Replaced (x_O_1 = x_O_2[ri_34, ri_35]) with ((pkS_4 = pk_S[ri_34, ri_35]) && (i1_6 = ri_35) && (pkE_10 = pkE_3[ri_34, ri_35])) at 108 - - In branch 1 of find at 103, substituting u_35 with i1_6 - - Replaced defined condition x_O_2[ri_34, ri_35], r_2[ri_34, ri_35] with r_2[ri_34, i1_6], pkE_3[ri_34, i1_6], pk_S[ri_34, i1_6] in find at 103 -yields - -Game 25 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - {103} find [unique] u_34 = ri_34 <= Qdperuser suchthat defined(r_2[ri_34, i1_6], pkE_3[ri_34, i1_6], pk_S[ri_34, i1_6]) && {116}((pkS_4 = pk_S[ri_34, i1_6]) && (i1_6 = i1_6) && (pkE_10 = pkE_3[ri_34, i1_6])) then - u_35 <= N <- i1_6; - zz_10: eae_output_t <- r_2[u_34, i1_6]; - return(AuthEncap_tuple(r_2[u_34, i1_6], enc_8)) - orfind u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(r_3[u_33], enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && {624}((pk_S = pk_S[ri_18]) && (i = i) && (pkE_3 = pkE_3[ri_18])) then - u_19 <= N <- i; - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_3: eae_input_t <- cst_eae_input_t; - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - x_O_4: eae_input_t <- cst_eae_input_t; - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying simplify [probability #OAEncap * Qdperuser * PCollKey] - - Simplification pass - - Replaced ((pk_S = pk_S[ri_18]) && (i = i) && (pkE_3 = pkE_3[ri_18])) with ((pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18])) at 624 - - Replaced ((pkS_4 = pk_S[ri_34, i1_6]) && (i1_6 = i1_6) && (pkE_10 = pkE_3[ri_34, i1_6])) with false at 116 - - Remove branch 1 in find at 103 -yields - -Game 26 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); - key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); - info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); - x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); - find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(r_3[u_33], enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); - key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); - info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); - x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); - key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); - info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); - x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - u_19 <= N <- i; - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - x_O_3: eae_input_t <- cst_eae_input_t; - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - x_O_4: eae_input_t <- cst_eae_input_t; - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying move all binders - - Move assignment to x_O_4 - - Move assignment to x_O_3 - - Move assignment to x_O_2 - - Move assignment to info_1 - - Move assignment to key_1 - - Move assignment to kemContext_3 - - Move assignment to x_O - - Move assignment to info_6 - - Move assignment to key_6 - - Move assignment to kemContext_11 - - Move assignment to x_O_1 - - Move assignment to info_5 - - Move assignment to key_5 - - Move assignment to kemContext_10 -yields - -Game 27 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(r_3[u_33], enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); - pkR_1: G_t <- exp(g, sk); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - u_19 <= N <- i; - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying remove assignments of findcond - - Remove assignments on dh_3 (definition removed, all usages removed) - - Remove assignments on u_19 (definition removed, all usages removed) - - Remove assignments on dh_11 (definition removed, all usages removed) - - Remove assignments on dh_10 (definition removed, all usages removed) -yields - -Game 28 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(r_3[u_33], enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - pkR_1: G_t <- exp(g, sk); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying equivalence gdh(exp) with variables: sk -> a, z_5 -> b [probability Adv_GDH(time(context for game 28) + time + (1 + #OAEncap + N) * time(exp), 2 * Qh * Qdperuser + N * #OAEncap + N * #OADecap + 3 * Qh * N) + (#OAEncap + N) * PDistRerandom + (N * N + 2 * #OAEncap * Qeperuser) * PCollKey] - - Equivalence gdh(exp) with variables: sk -> a, z_5 -> b -yields - -Game 29 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_1: G_t <- pk_R; m'_1: G_t <- g; (m_1 = exp(m'_1, sk[i1_7]))) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - {54} find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (m_9: G_t <- dh2[ri_33]; (m_9 = exp(g, mult(sk[i1_6], sk)))) && (m_4: G_t <- dh1[ri_33]; false) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then - zz_10: eae_output_t <- r_3[u_33]; - return(AuthEncap_tuple(r_3[u_33], enc_8)) - else - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (m: G_t <- dh2[ri_25]; m': G_t <- pk_R; (m = exp(m', sk))) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (m_12: G_t <- pk_S; m'_5: G_t <- g; (m_12 = exp(m'_5, sk[i1_9]))) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - pkR_1: G_t <- exp(g, sk); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (m_11: G_t <- dh2[ri_17]; m'_4: G_t <- pk_S; (m_11 = exp(m'_4, sk))) && (m_10: G_t <- dh1[ri_17]; m'_3: G_t <- pkE_3; (m_10 = exp(m'_3, sk))) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - {586} find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_13: G_t <- dh2; m'_6: G_t <- pk_R[ri_14, ri_15]; (m_13 = exp(m'_6, sk[ri_15]))) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_20: G_t <- dh2; (m_20 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13])))) && (m_15: G_t <- dh1; false) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_1[u_12, u_13]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_22: G_t <- dh2; m'_8: G_t <- pk_S[ri_10, ri_11]; (m_22 = exp(m'_8, sk[ri_11]))) && (m_21: G_t <- dh1; m'_7: G_t <- pkE_3[ri_10, ri_11]; (m_21 = exp(m'_7, sk[ri_11]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying expand - - Expand if/find/let - - Remove branch 2 in find at 586 - - Remove branch 1 in find at 54 - - Find at 54 removed (else branch kept if any) -yields - -Game 30 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_1: G_t <- pk_R; m'_1: G_t <- g; (m_1 = exp(m'_1, sk[i1_7]))) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - pkS_4: G_t <- exp(g, sk); - r_1 <-R eae_output_t; - zz_10: eae_output_t <- r_1; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (m: G_t <- dh2[ri_25]; m': G_t <- pk_R; ((pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (m = exp(m', sk)) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]))) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (m_12: G_t <- pk_S; m'_5: G_t <- g; ((i = i1_6[ie1_3, i1_9]) && (m_12 = exp(m'_5, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2))) then - return(AuthDecap_Some(zz_10[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - pkR_1: G_t <- exp(g, sk); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (m_11: G_t <- dh2[ri_17]; m'_4: G_t <- pk_S; m_10: G_t <- dh1[ri_17]; m'_3: G_t <- pkE_3; ((pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (m_11 = exp(m'_4, sk)) && (m_10 = exp(m'_3, sk)) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]))) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (m_13: G_t <- dh2; m'_6: G_t <- pk_R[ri_14, ri_15]; ((pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_13 = exp(m'_6, sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r[u_14, u_15]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (m_22: G_t <- dh2; m'_8: G_t <- pk_S[ri_10, ri_11]; m_21: G_t <- dh1; m'_7: G_t <- pkE_3[ri_10, ri_11]; ((pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_22 = exp(m'_8, sk[ri_11])) && (m_21 = exp(m'_7, sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying remove assignments of findcond - - Remove assignments on m_13 (definition removed, all usages removed) - - Remove assignments on m'_6 (definition removed, all usages removed) - - Remove assignments on m_22 (definition removed, all usages removed) - - Remove assignments on m'_8 (definition removed, all usages removed) - - Remove assignments on m_21 (definition removed, all usages removed) - - Remove assignments on m'_7 (definition removed, all usages removed) - - Remove assignments on m_11 (definition removed, all usages removed) - - Remove assignments on m'_4 (definition removed, all usages removed) - - Remove assignments on m_10 (definition removed, all usages removed) - - Remove assignments on m'_3 (definition removed, all usages removed) - - Remove assignments on m_12 (definition removed, all usages removed) - - Remove assignments on m'_5 (definition removed, all usages removed) - - Remove assignments on m (definition removed, all usages removed) - - Remove assignments on m' (definition removed, all usages removed) - - Remove assignments on pkS_4 (definition removed, all usages removed) - - Remove assignments on zz_10 (definition removed, all usages removed) - - Remove assignments on m_1 (definition removed, all usages removed) - - Remove assignments on m'_1 (definition removed, all usages removed) -yields - -Game 31 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (dh2[ri_25] = exp(pk_R, sk)) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - {195} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(r_1[ie1_3, i1_9], r_1[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(r_1[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - pkR_1: G_t <- exp(g, sk); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (dh2[ri_17] = exp(pk_S, sk)) && (dh1[ri_17] = exp(pkE_3, sk)) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition r_1[ie1_3, i1_9], r_1[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9] with r_1[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9] in find at 195 -yields - -Game 32 is - Ostart() := - return(); - (( - foreach i <= N do - Osetup() := - sk <-R Z_t; - return(); - (( - foreach ie <= Qeperuser do - OAEncap(pk_R: G_t) := - find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then - z_5 <-R Z_t; - pkE_10: G_t <- exp(g, z_5); - enc_8: bitstring <- Serialize(pkE_10); - r_1 <-R eae_output_t; - return(AuthEncap_tuple(r_1, enc_8)) - else - z_6 <-R Z_t; - pkE_11: G_t <- exp(g, z_6); - enc_9: bitstring <- Serialize(pkE_11); - pkS_5: G_t <- exp(g, sk); - find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (dh2[ri_25] = exp(pk_R, sk)) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then - return(AuthEncap_tuple(r_3[u_25], enc_9)) - else - r <-R eae_output_t; - return(AuthEncap_tuple(r, enc_9)) - ) | ( - foreach id <= Qdperuser do - OADecap(pk_S: G_t, enc_2: bitstring) := - find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(r_1[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then - return(AuthDecap_Some(r_1[ie1_2, i1_8])) - else - let Serialize(pkE_3: G_t) = enc_2 in - pkR_1: G_t <- exp(g, sk); - find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then - return(AuthDecap_Some(r_2[u_18])) - orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (dh2[ri_17] = exp(pk_S, sk)) && (dh1[ri_17] = exp(pkE_3, sk)) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then - return(AuthDecap_Some(r_3[u_17])) - else - r_2 <-R eae_output_t; - return(AuthDecap_Some(r_2)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk)) - )) - ) | ( - foreach iH <= Qh do - OH(x1: eae_input_t) := - let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in - find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r[u_14, u_15]) - orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then - return(r_2[u_10, u_11]) - orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then - return(r_3[u_9]) - else - r_3 <-R eae_output_t; - return(r_3) - else - find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then - return(r_4[u]) - else - r_4 <-R eae_output_t; - return(r_4) - )) - -Initial state -Game 33 is - Ostart() := - key_extr_11 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = (exponent_15: Z_t <- sk_1[i1]; exp(g, exponent_15))) then - {33} let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (skS_1: Z_t <- sk_1; {37}let (skE_1: Z_t, pkE_8: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_8: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_7: bitstring <- Serialize(pkE_8); pkS_3: G_t <- exp(g, skS_1); kemContext_8: GGG_t <- concatContext(pkE_8, pk_R_1, pkS_3); zz_8: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_3, info_3))); AuthEncap_tuple(zz_8, enc_7) else AuthEncap_None) in - k' <-R eae_output_t; - return(AuthEncap_tuple(k', ce)) - else - return(AuthEncap_None) - else - return((skS_1: Z_t <- sk_1; {143}let (skE_1: Z_t, pkE_7: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_6: bitstring <- Serialize(pkE_7); pkS_2: G_t <- exp(g, skS_1); kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); zz_7: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2))); AuthEncap_tuple(zz_7, enc_6) else AuthEncap_None)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(sk_1[i1_2], pk_R_1[ie1, i1_2], k'[ie1, i1_2], ce[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && ((exponent_16: Z_t <- sk_1[i1_2]; exp(g, exponent_16)) = pk_S_1) && (ce[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - return((skR_1: Z_t <- sk_1; let Serialize(pkE_9: G_t) = cd in dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); pkR_4: G_t <- exp(g, skR_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); zz_9: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4))); AuthDecap_Some(zz_9) else AuthDecap_None)) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_11, x1_1)) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern (skE_1: Z_t, pkE_7: G_t) (tuple expanded) at 143 - - Remove else branch of let at 143 - - Simplify pattern (skE_1: Z_t, pkE_8: G_t) (tuple expanded) at 37 - - Remove else branch of let at 37 - - Simplify pattern AuthEncap_tuple(k: eae_output_t, ce: bitstring) (tuple expanded) at 33 - - Remove else branch of let at 33 -yields - -Game 34 is - Ostart() := - key_extr_11 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (exponent_15: Z_t <- sk_1[i1]; (pk_R_1 = exp(g, exponent_15))) then - skS_1: Z_t <- sk_1; - z_1 <-R Z_t; - pkE_8: G_t <- exp(g, z_1); - skE_1: Z_t <- z_1; - dh_8: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); - enc_7: bitstring <- Serialize(pkE_8); - pkS_3: G_t <- exp(g, skS_1); - kemContext_8: GGG_t <- concatContext(pkE_8, pk_R_1, pkS_3); - key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); - info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); - zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_3, info_3)); - ce: bitstring <- enc_7; - k: eae_output_t <- zz_8; - k' <-R eae_output_t; - return(AuthEncap_tuple(k', ce)) - else - skS_1: Z_t <- sk_1; - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - skE_1: Z_t <- z_1; - dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, skS_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(sk_1[i1_2], pk_R_1[ie1, i1_2], k'[ie1, i1_2], ce[ie1, i1_2]) && (exponent_16: Z_t <- sk_1[i1_2]; ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, exponent_16) = pk_S_1) && (ce[ie1, i1_2] = cd))) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - skR_1: Z_t <- sk_1; - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); - pkR_4: G_t <- exp(g, skR_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_11, x1_1)) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR_1 (definition removed, all usages removed) - - Remove assignments on exponent_16 (definition removed, all usages removed) - - Remove assignments on skS_1 (definition removed, all usages removed) - - Remove assignments on skE_1 (definition removed, all usages removed) - - Remove assignments on skS_1 (definition removed, all usages removed) - - Remove assignments on skE_1 (definition removed, all usages removed) - - Remove assignments on ce (definition removed, all usages removed) - - Remove assignments on k (definition removed, all usages removed) - - Remove assignments on exponent_15 (definition removed, all usages removed) - - Remove assignments on zz_8 (definition removed, all usages removed) - - Remove assignments on key_3 (definition removed, all usages removed) - - Remove assignments on info_3 (definition removed, all usages removed) - - Remove assignments on dh_8 (definition removed, all usages removed) - - Remove assignments on kemContext_8 (definition removed, all usages removed) - - Remove assignments on pkS_3 (definition removed, all usages removed) -yields - -Game 35 is - Ostart() := - key_extr_11 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_1 <-R Z_t; - pkE_8: G_t <- exp(g, z_1); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - {147} find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(enc_7[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2], k'[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_11, x1_1)) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition enc_7[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2], k'[ie1, i1_2] with k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] in find at 147 -yields - -Game 36 is - Ostart() := - key_extr_11 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_1 <-R Z_t; - pkE_8: G_t <- exp(g, z_1); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_1 <-R Z_t; - pkE_7: G_t <- exp(g, z_1); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - return(ExtractAndExpand_inner(key_extr_11, x1_1)) - )) - - -Applying remove assignments of findcond - - Rename variable z_1 into z_4, z_3 -yields - -Game 37 is - Ostart() := - key_extr_11 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - {283} return(ExtractAndExpand_inner(key_extr_11, x1_1)) - )) - - -Applying insert instruction let eae_input( - salt: extract_salt_t, - concatExtract( - protocol1: label_protocol_t, - suite1: suite_id_t, - label1: label_extract_t, - concatDH(dh1: G_t, dh2: G_t)), - concatExpand(l: two_byte_t, - protocol2: label_protocol_t, - suite2: suite_id_t, - label2: label_expand_t, - concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in at occurrence 283 -yields - -Game 38 is - Ostart() := - key_extr_11 <-R hash_key_t; - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return(ExtractAndExpand_inner(key_extr_11, x1_1)) - else - return(ExtractAndExpand_inner(key_extr_11, x1_1)) - )) - - -Applying equivalence rom(ExtractAndExpand_inner) - - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_11 -> hk -yields - -Game 39 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- (x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {123}find [unique] u_62 = ri_62 <= Qeperuser, u_63 = ri_63 <= N suchthat defined(x_O_5[ri_62, ri_63], r_5[ri_62, ri_63]) && (x_O_5 = x_O_5[ri_62, ri_63]) then r_5[u_62, u_63] orfind u_60 = ri_60 <= Qdperuser, u_61 = ri_61 <= N suchthat defined(x_O_6[ri_60, ri_61], r_6[ri_60, ri_61]) && (x_O_5 = x_O_6[ri_60, ri_61]) then r_6[u_60, u_61] orfind u_59 = ri_59 <= Qh suchthat defined(x_O_7[ri_59], r_7[ri_59]) && (x_O_5 = x_O_7[ri_59]) then r_7[u_59] orfind u_58 = ri_58 <= Qh suchthat defined(x_O_8[ri_58], r_8[ri_58]) && {174}(x_O_5 = x_O_8[ri_58]) then r_8[u_58] else r_5 <-R eae_output_t; r_5); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {316}find [unique] u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_5[ri_56, ri_57], r_5[ri_56, ri_57]) && (x_O_6 = x_O_5[ri_56, ri_57]) then r_5[u_56, u_57] orfind u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && (x_O_6 = x_O_6[ri_54, ri_55]) then r_6[u_54, u_55] orfind u_53 = ri_53 <= Qh suchthat defined(x_O_7[ri_53], r_7[ri_53]) && (x_O_6 = x_O_7[ri_53]) then r_7[u_53] orfind u_52 = ri_52 <= Qh suchthat defined(x_O_8[ri_52], r_8[ri_52]) && {367}(x_O_6 = x_O_8[ri_52]) then r_8[u_52] else r_6 <-R eae_output_t; r_6); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return((x_O_7: eae_input_t <- x1_1; {418}find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && (x_O_7 = x_O_5[ri_50, ri_51]) then r_5[u_50, u_51] orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && (x_O_7 = x_O_6[ri_48, ri_49]) then r_6[u_48, u_49] orfind u_47 = ri_47 <= Qh suchthat defined(x_O_7[ri_47], r_7[ri_47]) && (x_O_7 = x_O_7[ri_47]) then r_7[u_47] orfind u_46 = ri_46 <= Qh suchthat defined(x_O_8[ri_46], r_8[ri_46]) && {461}(x_O_7 = x_O_8[ri_46]) then r_8[u_46] else r_7 <-R eae_output_t; r_7)) - else - return((x_O_8: eae_input_t <- x1_1; {478}find [unique] u_44 = ri_44 <= Qeperuser, u_45 = ri_45 <= N suchthat defined(x_O_5[ri_44, ri_45], r_5[ri_44, ri_45]) && {483}(x_O_8 = x_O_5[ri_44, ri_45]) then r_5[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_6[ri_42, ri_43], r_6[ri_42, ri_43]) && {498}(x_O_8 = x_O_6[ri_42, ri_43]) then r_6[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_7[ri_41], r_7[ri_41]) && {511}(x_O_8 = x_O_7[ri_41]) then r_7[u_41] orfind u_40 = ri_40 <= Qh suchthat defined(x_O_8[ri_40], r_8[ri_40]) && (x_O_8 = x_O_8[ri_40]) then r_8[u_40] else r_8 <-R eae_output_t; r_8)) - )) - - -Applying simplify (non-expanded game) [probability N * N * PCollKey] - - Simplification pass - - Replaced (x_O_5 = x_O_8[ri_58]) with false at 174 - - Remove branch 4 in find at 123 - - Replaced (x_O_6 = x_O_8[ri_52]) with false at 367 - - Remove branch 4 in find at 316 - - Replaced (x_O_7 = x_O_8[ri_46]) with false at 461 - - Remove branch 4 in find at 418 - - Replaced (x_O_8 = x_O_7[ri_41]) with false at 511 - - Remove branch 3 in find at 478 - - Replaced (x_O_8 = x_O_6[ri_42, ri_43]) with false at 498 - - Remove branch 2 in find at 478 - - Replaced (x_O_8 = x_O_5[ri_44, ri_45]) with false at 483 - - Remove branch 1 in find at 478 -yields - -Game 40 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - zz_7: eae_output_t <- (x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {123}find [unique] u_62 = ri_62 <= Qeperuser, u_63 = ri_63 <= N suchthat defined(x_O_5[ri_62, ri_63], r_5[ri_62, ri_63]) && (x_O_5 = x_O_5[ri_62, ri_63]) then r_5[u_62, u_63] orfind u_60 = ri_60 <= Qdperuser, u_61 = ri_61 <= N suchthat defined(x_O_6[ri_60, ri_61], r_6[ri_60, ri_61]) && (x_O_5 = x_O_6[ri_60, ri_61]) then r_6[u_60, u_61] orfind u_59 = ri_59 <= Qh suchthat defined(x_O_7[ri_59], r_7[ri_59]) && (x_O_5 = x_O_7[ri_59]) then r_7[u_59] else r_5 <-R eae_output_t; r_5); - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - zz_9: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {304}find [unique] u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_5[ri_56, ri_57], r_5[ri_56, ri_57]) && (x_O_6 = x_O_5[ri_56, ri_57]) then r_5[u_56, u_57] orfind u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && (x_O_6 = x_O_6[ri_54, ri_55]) then r_6[u_54, u_55] orfind u_53 = ri_53 <= Qh suchthat defined(x_O_7[ri_53], r_7[ri_53]) && (x_O_6 = x_O_7[ri_53]) then r_7[u_53] else r_6 <-R eae_output_t; r_6); - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - return((x_O_7: eae_input_t <- x1_1; find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && (x_O_7 = x_O_5[ri_50, ri_51]) then r_5[u_50, u_51] orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && (x_O_7 = x_O_6[ri_48, ri_49]) then r_6[u_48, u_49] orfind u_47 = ri_47 <= Qh suchthat defined(x_O_7[ri_47], r_7[ri_47]) && (x_O_7 = x_O_7[ri_47]) then r_7[u_47] else r_7 <-R eae_output_t; r_7)) - else - return((x_O_8: eae_input_t <- x1_1; find [unique] u_40 = ri_40 <= Qh suchthat defined(x_O_8[ri_40], r_8[ri_40]) && (x_O_8 = x_O_8[ri_40]) then r_8[u_40] else r_8 <-R eae_output_t; r_8)) - )) - - -Applying expand [probability (#OAEncap * Qeperuser + #OAEncap * N + N * N) * PCollKey] - - Expand if/find/let - - Remove branch 1 in find at 304 - - Remove branch 2 in find at 123 - - Remove branch 1 in find at 123 -yields - -Game 41 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - find [unique] u_59 = ri_59 <= Qh suchthat defined(x_O_7[ri_59], r_7[ri_59]) && (x_O_5 = x_O_7[ri_59]) then - zz_7: eae_output_t <- r_7[u_59]; - return(AuthEncap_tuple(zz_7, enc_6)) - else - r_5 <-R eae_output_t; - zz_7: eae_output_t <- r_5; - return(AuthEncap_tuple(zz_7, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && (x_O_6 = x_O_6[ri_54, ri_55]) then - zz_9: eae_output_t <- r_6[u_54, u_55]; - return(AuthDecap_Some(zz_9)) - orfind u_53 = ri_53 <= Qh suchthat defined(x_O_7[ri_53], r_7[ri_53]) && (x_O_6 = x_O_7[ri_53]) then - zz_9: eae_output_t <- r_7[u_53]; - return(AuthDecap_Some(zz_9)) - else - r_6 <-R eae_output_t; - zz_9: eae_output_t <- r_6; - return(AuthDecap_Some(zz_9)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_7: eae_input_t <- x1_1; - find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && (x_O_7 = x_O_5[ri_50, ri_51]) then - return(r_5[u_50, u_51]) - orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && (x_O_7 = x_O_6[ri_48, ri_49]) then - return(r_6[u_48, u_49]) - orfind u_47 = ri_47 <= Qh suchthat defined(x_O_7[ri_47], r_7[ri_47]) && (x_O_7 = x_O_7[ri_47]) then - return(r_7[u_47]) - else - r_7 <-R eae_output_t; - return(r_7) - else - x_O_8: eae_input_t <- x1_1; - find [unique] u_40 = ri_40 <= Qh suchthat defined(x_O_8[ri_40], r_8[ri_40]) && (x_O_8 = x_O_8[ri_40]) then - return(r_8[u_40]) - else - r_8 <-R eae_output_t; - return(r_8) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_O_8 (definition point kept, all usages removed) - - Remove assignments on x_O_7 (definition point kept, all usages removed) - - Remove assignments on zz_9 (definition removed, all usages removed) - - Remove assignments on zz_9 (definition removed, all usages removed) - - Remove assignments on zz_9 (definition removed, all usages removed) - - Remove assignments on zz_7 (definition removed, all usages removed) - - Remove assignments on zz_7 (definition removed, all usages removed) -yields - -Game 42 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - {122} find [unique] u_59 = ri_59 <= Qh suchthat defined(x1_1[ri_59], x_O_7[ri_59], r_7[ri_59]) && {126}(x_O_5 = x1_1[ri_59]) then - return(AuthEncap_tuple(r_7[u_59], enc_6)) - else - r_5 <-R eae_output_t; - return(AuthEncap_tuple(r_5, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - {166} find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2]) && {174}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd)) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - {271} find [unique] u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && {276}(x_O_6 = x_O_6[ri_54, ri_55]) then - return(AuthDecap_Some(r_6[u_54, u_55])) - orfind u_53 = ri_53 <= Qh suchthat defined(x1_1[ri_53], x_O_7[ri_53], r_7[ri_53]) && {297}(x_O_6 = x1_1[ri_53]) then - return(AuthDecap_Some(r_7[u_53])) - else - r_6 <-R eae_output_t; - return(AuthDecap_Some(r_6)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_7: eae_input_t <- cst_eae_input_t; - {346} find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && {351}(x1_1 = x_O_5[ri_50, ri_51]) then - return(r_5[u_50, u_51]) - orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && {369}(x1_1 = x_O_6[ri_48, ri_49]) then - return(r_6[u_48, u_49]) - orfind u_47 = ri_47 <= Qh suchthat defined(x1_1[ri_47], x_O_7[ri_47], r_7[ri_47]) && {386}(x1_1 = x1_1[ri_47]) then - return(r_7[u_47]) - else - r_7 <-R eae_output_t; - return(r_7) - else - x_O_8: eae_input_t <- cst_eae_input_t; - {406} find [unique] u_40 = ri_40 <= Qh suchthat defined(x1_1[ri_40], x_O_8[ri_40], r_8[ri_40]) && (x1_1 = x1_1[ri_40]) then - return(r_8[u_40]) - else - r_8 <-R eae_output_t; - return(r_8) - )) - - -Applying simplify [probability 2 * N * N * PCollKey] - - Simplification pass - - Replaced defined condition x1_1[ri_40], x_O_8[ri_40], r_8[ri_40] with r_8[ri_40], x1_1[ri_40] in find at 406 - - Replaced (x1_1 = x1_1[ri_47]) with ((pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47])) at 386 - - Replaced defined condition x1_1[ri_47], x_O_7[ri_47], r_7[ri_47] with r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47] in find at 346 - - Replaced (x1_1 = x_O_6[ri_48, ri_49]) with ((pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 369 - - Replaced defined condition x_O_6[ri_48, ri_49], r_6[ri_48, ri_49] with r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49] in find at 346 - - Replaced (x1_1 = x_O_5[ri_50, ri_51]) with ((pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 351 - - Replaced defined condition x_O_5[ri_50, ri_51], r_5[ri_50, ri_51] with r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51] in find at 346 - - Replaced (x_O_6 = x1_1[ri_53]) with ((pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53])) at 297 - - Replaced defined condition x1_1[ri_53], x_O_7[ri_53], r_7[ri_53] with r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53] in find at 271 - - Replaced (x_O_6 = x_O_6[ri_54, ri_55]) with ((pk_S_1 = pk_S_1[ri_54, ri_55]) && (i_1 = ri_55) && (pkE_9 = pkE_9[ri_54, ri_55])) at 276 - - In branch 1 of find at 271, substituting u_55 with i_1 - - Replaced defined condition x_O_6[ri_54, ri_55], r_6[ri_54, ri_55] with r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54] in find at 271 - - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd)) with ((i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd)) at 174 - - Replaced defined condition k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2] with k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2] in find at 166 - - Replaced (x_O_5 = x1_1[ri_59]) with ((pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59])) at 126 - - Replaced defined condition x1_1[ri_59], x_O_7[ri_59], r_7[ri_59] with r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59] in find at 122 -yields - -Game 43 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - find [unique] u_59 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then - return(AuthEncap_tuple(r_7[u_59], enc_6)) - else - r_5 <-R eae_output_t; - return(AuthEncap_tuple(r_5, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_54 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && {362}((pk_S_1 = pk_S_1[ri_54]) && (i_1 = i_1) && (pkE_9 = pkE_9[ri_54])) then - u_55 <= N <- i_1; - return(AuthDecap_Some(r_6[u_54])) - orfind u_53 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then - return(AuthDecap_Some(r_7[u_53])) - else - r_6 <-R eae_output_t; - return(AuthDecap_Some(r_6)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_7: eae_input_t <- cst_eae_input_t; - find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_5[u_50, u_51]) - orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_48, u_49]) - orfind u_47 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then - return(r_7[u_47]) - else - r_7 <-R eae_output_t; - return(r_7) - else - x_O_8: eae_input_t <- cst_eae_input_t; - find [unique] u_40 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then - return(r_8[u_40]) - else - r_8 <-R eae_output_t; - return(r_8) - )) - - -Applying simplify - - Simplification pass - - Replaced ((pk_S_1 = pk_S_1[ri_54]) && (i_1 = i_1) && (pkE_9 = pkE_9[ri_54])) with ((pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54])) at 362 -yields - -Game 44 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); - key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); - info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); - x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); - find [unique] u_59 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then - return(AuthEncap_tuple(r_7[u_59], enc_6)) - else - r_5 <-R eae_output_t; - return(AuthEncap_tuple(r_5, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); - key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); - info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); - x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); - find [unique] u_54 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then - u_55 <= N <- i_1; - return(AuthDecap_Some(r_6[u_54])) - orfind u_53 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then - return(AuthDecap_Some(r_7[u_53])) - else - r_6 <-R eae_output_t; - return(AuthDecap_Some(r_6)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - x_O_7: eae_input_t <- cst_eae_input_t; - find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_5[u_50, u_51]) - orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_48, u_49]) - orfind u_47 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then - return(r_7[u_47]) - else - r_7 <-R eae_output_t; - return(r_7) - else - x_O_8: eae_input_t <- cst_eae_input_t; - find [unique] u_40 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then - return(r_8[u_40]) - else - r_8 <-R eae_output_t; - return(r_8) - )) - - -Applying move all binders - - Move assignment to x_O_8 - - Move assignment to x_O_7 - - Move assignment to x_O_6 - - Move assignment to info_4 - - Move assignment to key_4 - - Move assignment to kemContext_9 - - Move assignment to x_O_5 - - Move assignment to info_2 - - Move assignment to key_2 - - Move assignment to kemContext_7 -yields - -Game 45 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - find [unique] u_59 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then - return(AuthEncap_tuple(r_7[u_59], enc_6)) - else - r_5 <-R eae_output_t; - return(AuthEncap_tuple(r_5, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); - pkR_4: G_t <- exp(g, sk_1); - find [unique] u_54 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then - u_55 <= N <- i_1; - return(AuthDecap_Some(r_6[u_54])) - orfind u_53 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then - return(AuthDecap_Some(r_7[u_53])) - else - r_6 <-R eae_output_t; - return(AuthDecap_Some(r_6)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_5[u_50, u_51]) - orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_48, u_49]) - orfind u_47 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then - return(r_7[u_47]) - else - r_7 <-R eae_output_t; - return(r_7) - else - find [unique] u_40 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then - return(r_8[u_40]) - else - r_8 <-R eae_output_t; - return(r_8) - )) - - -Applying remove assignments of findcond - - Remove assignments on dh_9 (definition removed, all usages removed) - - Remove assignments on u_55 (definition removed, all usages removed) - - Remove assignments on dh_7 (definition removed, all usages removed) -yields - -Game 46 is - Ostart() := - return(); - (( - foreach i_1 <= N do - Osetup() := - sk_1 <-R Z_t; - return(); - (( - foreach ie_1 <= Qeperuser do - OAEncap(pk_R_1: G_t) := - find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then - z_4 <-R Z_t; - pkE_8: G_t <- exp(g, z_4); - enc_7: bitstring <- Serialize(pkE_8); - k' <-R eae_output_t; - return(AuthEncap_tuple(k', enc_7)) - else - z_3 <-R Z_t; - pkE_7: G_t <- exp(g, z_3); - enc_6: bitstring <- Serialize(pkE_7); - pkS_2: G_t <- exp(g, sk_1); - find [unique] u_59 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then - return(AuthEncap_tuple(r_7[u_59], enc_6)) - else - r_5 <-R eae_output_t; - return(AuthEncap_tuple(r_5, enc_6)) - ) | ( - foreach id_1 <= Qdperuser do - OADecap(pk_S_1: G_t, cd: bitstring) := - find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then - return(AuthDecap_Some(k'[ie1_1, i1_5])) - else - let Serialize(pkE_9: G_t) = cd in - pkR_4: G_t <- exp(g, sk_1); - find [unique] u_54 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then - return(AuthDecap_Some(r_6[u_54])) - orfind u_53 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then - return(AuthDecap_Some(r_7[u_53])) - else - r_6 <-R eae_output_t; - return(AuthDecap_Some(r_6)) - else - return(AuthDecap_None) - ) | ( - Opk() := - return(exp(g, sk_1)) - )) - ) | ( - foreach iH_1 <= Qh do - OH(x1_1: eae_input_t) := - let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in - find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_5[u_50, u_51]) - orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then - return(r_6[u_48, u_49]) - orfind u_47 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then - return(r_7[u_47]) - else - r_7 <-R eae_output_t; - return(r_7) - else - find [unique] u_40 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then - return(r_8[u_40]) - else - r_8 <-R eae_output_t; - return(r_8) - )) - - -Proved indistinguishability between game 46 and game 1 -Game 46 is the same as game 32. -Adv[Game 1: indistinguishability from game 32] <= Adv_GDH(time_1, 2 * Qh * Qdperuser + N * #OAEncap + N * #OADecap + 3 * Qh * N) + (N + #OAEncap) * PDistRerandom + (#OAEncap * Qdperuser + #OAEncap * N + 6 * #OAEncap * Qeperuser + 9 * N * N) * PCollKey + Adv[Game 32: indistinguishability from game 32] -Adv[Game 32: indistinguishability from game 32] <= 0 -Adv[Game 33: indistinguishability from game 46] <= (#OAEncap * N + #OAEncap * Qeperuser + 4 * N * N) * PCollKey + Adv[Game 46: indistinguishability from game 46] -Adv[Game 46: indistinguishability from game 46] <= 0 -RESULT Proved indistinguishability between game 33 and game 1 up to probability Adv_GDH(time_1, 2 * Qh * Qdperuser + N * #OAEncap + N * #OADecap + 3 * Qh * N) + (N + #OAEncap) * PDistRerandom + (#OAEncap * Qdperuser + 2 * #OAEncap * N + 7 * #OAEncap * Qeperuser + 13 * N * N) * PCollKey -RESULT time_1 = time(context for game 28) + time + (1 + #OAEncap + N) * time(exp) -RESULT time(context for game 28) = #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_8)) + (#OAEncap + 2 * Qh * #OAEncap) * time(exp) + #OAEncap * time(Serialize) + #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_9)) + #OADecap * #OAEncap * time(= bitstring, maxlength(game 28: enc_8), maxlength(game 28: enc_2)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (3 * Qh * #OAEncap + 2 * Qh * #OADecap) * time(I2OSP2) -All queries proved. +Initial state +Game 1 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + return((skS: Z_t <- sk; {23}let (skE: Z_t, pkE_2: G_t) = (z <-R Z_t; (z, exp(g, z))) in dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); enc_1: bitstring <- Serialize(pkE_2); pkS: G_t <- exp(g, skS); kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); zz_2: eae_output_t <- (key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info))); AuthEncap_tuple(zz_2, enc_1) else AuthEncap_None)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + return((skR: Z_t <- sk; let Serialize(pkE_3: G_t) = enc_2 in dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); pkR_1: G_t <- exp(g, skR); kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); zz_3: eae_output_t <- (key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1))); AuthDecap_Some(zz_3) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern (skE: Z_t, pkE_2: G_t) (tuple expanded) at 23 + - Remove else branch of let at 23 +yields + +Game 2 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + skS: Z_t <- sk; + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + skE: Z_t <- z; + dh_2: GG_t <- concatDH(exp(pk_R, skE), exp(pk_R, skS)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, skS); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + skR: Z_t <- sk; + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, skR), exp(pk_S, skR)); + pkR_1: G_t <- exp(g, skR); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR (definition removed, all usages removed) + - Remove assignments on skS (definition removed, all usages removed) + - Remove assignments on skE (definition removed, all usages removed) +yields + +Game 3 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + {18} z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying insert instruction find i1 <= N suchthat + defined(sk[i1]) + && pk_R = exp(g, sk[i1]) then at occurrence 18 +yields + +Game 4 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + else + z <-R Z_t; + pkE_2: G_t <- exp(g, z); + dh_2: GG_t <- concatDH(exp(pk_R, z), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename z + - Rename variable z into z_6, z_5 +yields + +Game 5 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_2: G_t <- exp(g, z_5); + dh_2: GG_t <- {36}concatDH(exp(pk_R, z_5), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + else + z_6 <-R Z_t; + pkE_2: G_t <- exp(g, z_6); + dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify + - Simplification pass + - Replaced concatDH(exp(pk_R, z_5), exp(pk_R, sk)) with concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))) at 36 +yields + +Game 6 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_2: G_t <- exp(g, z_5); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + else + z_6 <-R Z_t; + pkE_2: G_t <- exp(g, z_6); + dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_1: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_1)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename enc_1 + - Rename variable enc_1 into enc_9, enc_8 +yields + +Game 7 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_2: G_t <- exp(g, z_5); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_8)) + else + z_6 <-R Z_t; + pkE_2: G_t <- exp(g, z_6); + dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_2: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_2, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename zz_2 + - Rename variable zz_2 into zz_11, zz_10 +yields + +Game 8 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_2: G_t <- exp(g, z_5); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_2: G_t <- exp(g, z_6); + dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_2); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_2, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename pkE_2 + - Rename variable pkE_2 into pkE_11, pkE_10 +yields + +Game 9 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_10, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_11, pk_R, pkS); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename pkS + - Rename variable pkS into pkS_5, pkS_4 +yields + +Game 10 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_2: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_2: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_2); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename dh_2 + - Rename variable dh_2 into dh_11, dh_10 +yields + +Game 11 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_2: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_2); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename kemContext_2 + - Rename variable kemContext_2 into kemContext_11, kemContext_10 +yields + +Game 12 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key, info)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename key + - Rename variable key into key_6, key_5 +yields + +Game 13 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying SA rename info + - Rename variable info into info_6, info_5 +yields + +Game 14 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + {218} let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying insert instruction find ie1 <= Qeperuser, i1 <= N suchthat + defined(sk[i1], pk_R[ie1, i1], zz_10[ie1, i1], z_5[ie1, i1], enc_8[ie1, i1]) + && exp(g, sk) = pk_R[ie1, i1] + && pk_S = exp(g, sk[i1]) + && enc_8[ie1, i1] = enc_2 then at occurrence 218 +yields + +Game 15 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(sk[i1_9], pk_R[ie1_3, i1_9], zz_10[ie1_3, i1_9], z_5[ie1_3, i1_9], enc_8[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some({319}zz_3)) + else + return(AuthDecap_None) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying replace term at occurrence 319 with zz_10[ie1_2, i1_8] [probability N^2 * PCollKey] +yields + +Game 16 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && (exp(g, sk) = pk_R[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + return(AuthDecap_None) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on zz_3 (definition removed, all usages removed) + - Remove assignments on key_1 (definition removed, all usages removed) + - Remove assignments on info_1 (definition removed, all usages removed) + - Remove assignments on dh_3 (definition removed, all usages removed) + - Remove assignments on kemContext_3 (definition removed, all usages removed) + - Remove assignments on pkR_1 (definition removed, all usages removed) +yields + +Game 17 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + {218} find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9]) && {226}((exp(g, sk) = pk_R[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2)) then + {251} let Serialize(pkE_3: G_t) = {252}enc_2 in + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + return(AuthDecap_None) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced ((exp(g, sk) = pk_R[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2)) with ((i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2)) at 226 + - Replaced enc_2 with Serialize(pkE_10[ie1_2, i1_8]) at 252 + - Remove else branch of let at 251 + - Simplify pattern Serialize(pkE_3: G_t) (tuple expanded) at 251 + - Replaced defined condition zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], pk_R[ie1_3, i1_9] with zz_10[ie1_3, i1_9], pkE_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9] in find at 218 +yields + +Game 18 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], pkE_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + pkE_3: G_t <- pkE_10[ie1_2, i1_8]; + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on pkE_3 (definition removed, all usages removed) +yields + +Game 19 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], pkE_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + {353} return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying insert instruction let eae_input( + salt: extract_salt_t, + concatExtract( + protocol1: label_protocol_t, + suite1: suite_id_t, + label1: label_extract_t, + concatDH(dh1: G_t, dh2: G_t)), + concatExpand( + l: two_byte_t, + protocol2: label_protocol_t, + suite2: suite_id_t, + label2: label_expand_t, + concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in at occurrence 353 +yields + +Game 20 is + Ostart() := + key_extr_3 <-R hash_key_t; + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_5, info_5)); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_6, info_6)); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], pkE_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- ExtractAndExpand_inner(key_extr_3, eae_input(lbytes_empty, key_1, info_1)); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return(ExtractAndExpand_inner(key_extr_3, x1)) + else + return(ExtractAndExpand_inner(key_extr_3, x1)) + )) + + +Applying equivalence rom(ExtractAndExpand_inner) + - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_3 -> hk +yields + +Game 21 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {104}find [unique] u_38 = ri_38 <= Qeperuser, u_39 = ri_39 <= N suchthat defined(x_O[ri_38, ri_39], r[ri_38, ri_39]) && {109}(x_O_1 = x_O[ri_38, ri_39]) then r[u_38, u_39] orfind u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_33 = ri_33 <= Qh suchthat defined(x_O_3[ri_33], r_3[ri_33]) && (x_O_1 = x_O_3[ri_33]) then r_3[u_33] orfind u_32 = ri_32 <= Qh suchthat defined(x_O_4[ri_32], r_4[ri_32]) && {173}(x_O_1 = x_O_4[ri_32]) then r_4[u_32] else r_1 <-R eae_output_t; r_1); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {276}find [unique] u_30 = ri_30 <= Qeperuser, u_31 = ri_31 <= N suchthat defined(x_O[ri_30, ri_31], r[ri_30, ri_31]) && (x_O = x_O[ri_30, ri_31]) then r[u_30, u_31] orfind u_28 = ri_28 <= Qeperuser, u_29 = ri_29 <= N suchthat defined(x_O_1[ri_28, ri_29], r_1[ri_28, ri_29]) && {299}(x_O = x_O_1[ri_28, ri_29]) then r_1[u_28, u_29] orfind u_26 = ri_26 <= Qdperuser, u_27 = ri_27 <= N suchthat defined(x_O_2[ri_26, ri_27], r_2[ri_26, ri_27]) && (x_O = x_O_2[ri_26, ri_27]) then r_2[u_26, u_27] orfind u_25 = ri_25 <= Qh suchthat defined(x_O_3[ri_25], r_3[ri_25]) && (x_O = x_O_3[ri_25]) then r_3[u_25] orfind u_24 = ri_24 <= Qh suchthat defined(x_O_4[ri_24], r_4[ri_24]) && {345}(x_O = x_O_4[ri_24]) then r_4[u_24] else r <-R eae_output_t; r); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); {484}find [unique] u_22 = ri_22 <= Qeperuser, u_23 = ri_23 <= N suchthat defined(x_O[ri_22, ri_23], r[ri_22, ri_23]) && (x_O_2 = x_O[ri_22, ri_23]) then r[u_22, u_23] orfind u_20 = ri_20 <= Qeperuser, u_21 = ri_21 <= N suchthat defined(x_O_1[ri_20, ri_21], r_1[ri_20, ri_21]) && (x_O_2 = x_O_1[ri_20, ri_21]) then r_1[u_20, u_21] orfind u_18 = ri_18 <= Qdperuser, u_19 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && (x_O_2 = x_O_2[ri_18, ri_19]) then r_2[u_18, u_19] orfind u_17 = ri_17 <= Qh suchthat defined(x_O_3[ri_17], r_3[ri_17]) && (x_O_2 = x_O_3[ri_17]) then r_3[u_17] orfind u_16 = ri_16 <= Qh suchthat defined(x_O_4[ri_16], r_4[ri_16]) && {553}(x_O_2 = x_O_4[ri_16]) then r_4[u_16] else r_2 <-R eae_output_t; r_2); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return((x_O_3: eae_input_t <- x1; {604}find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && (x_O_3 = x_O[ri_14, ri_15]) then r[u_14, u_15] orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && (x_O_3 = x_O_1[ri_12, ri_13]) then r_1[u_12, u_13] orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && (x_O_3 = x_O_2[ri_10, ri_11]) then r_2[u_10, u_11] orfind u_9 = ri_9 <= Qh suchthat defined(x_O_3[ri_9], r_3[ri_9]) && (x_O_3 = x_O_3[ri_9]) then r_3[u_9] orfind u_8 = ri_8 <= Qh suchthat defined(x_O_4[ri_8], r_4[ri_8]) && {662}(x_O_3 = x_O_4[ri_8]) then r_4[u_8] else r_3 <-R eae_output_t; r_3)) + else + return((x_O_4: eae_input_t <- x1; {679}find [unique] u_6 = ri_6 <= Qeperuser, u_7 = ri_7 <= N suchthat defined(x_O[ri_6, ri_7], r[ri_6, ri_7]) && {684}(x_O_4 = x_O[ri_6, ri_7]) then r[u_6, u_7] orfind u_4 = ri_4 <= Qeperuser, u_5 = ri_5 <= N suchthat defined(x_O_1[ri_4, ri_5], r_1[ri_4, ri_5]) && {699}(x_O_4 = x_O_1[ri_4, ri_5]) then r_1[u_4, u_5] orfind u_2 = ri_2 <= Qdperuser, u_3 = ri_3 <= N suchthat defined(x_O_2[ri_2, ri_3], r_2[ri_2, ri_3]) && {714}(x_O_4 = x_O_2[ri_2, ri_3]) then r_2[u_2, u_3] orfind u_1 = ri_1 <= Qh suchthat defined(x_O_3[ri_1], r_3[ri_1]) && {727}(x_O_4 = x_O_3[ri_1]) then r_3[u_1] orfind u = ri <= Qh suchthat defined(x_O_4[ri], r_4[ri]) && (x_O_4 = x_O_4[ri]) then r_4[u] else r_4 <-R eae_output_t; r_4)) + )) + + +Applying simplify (non-expanded game) [probability (4 * #OAEncap^2 + N^2) * PCollKey] + - Simplification pass + - Replaced (x_O_1 = x_O_4[ri_32]) with false at 173 + - Remove branch 5 in find at 104 + - Replaced (x_O_1 = x_O[ri_38, ri_39]) with false at 109 + - Remove branch 1 in find at 104 + - Replaced (x_O = x_O_4[ri_24]) with false at 345 + - Remove branch 5 in find at 276 + - Replaced (x_O = x_O_1[ri_28, ri_29]) with false at 299 + - Remove branch 2 in find at 276 + - Replaced (x_O_2 = x_O_4[ri_16]) with false at 553 + - Remove branch 5 in find at 484 + - Replaced (x_O_3 = x_O_4[ri_8]) with false at 662 + - Remove branch 5 in find at 604 + - Replaced (x_O_4 = x_O_3[ri_1]) with false at 727 + - Remove branch 4 in find at 679 + - Replaced (x_O_4 = x_O_2[ri_2, ri_3]) with false at 714 + - Remove branch 3 in find at 679 + - Replaced (x_O_4 = x_O_1[ri_4, ri_5]) with false at 699 + - Remove branch 2 in find at 679 + - Replaced (x_O_4 = x_O[ri_6, ri_7]) with false at 684 + - Remove branch 1 in find at 679 +yields + +Game 22 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + zz_10: eae_output_t <- (x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); {104}find [unique] u_36 = ri_36 <= Qeperuser, u_37 = ri_37 <= N suchthat defined(x_O_1[ri_36, ri_37], r_1[ri_36, ri_37]) && (x_O_1 = x_O_1[ri_36, ri_37]) then r_1[u_36, u_37] orfind u_34 = ri_34 <= Qdperuser, u_35 = ri_35 <= N suchthat defined(x_O_2[ri_34, ri_35], r_2[ri_34, ri_35]) && (x_O_1 = x_O_2[ri_34, ri_35]) then r_2[u_34, u_35] orfind u_33 = ri_33 <= Qh suchthat defined(x_O_3[ri_33], r_3[ri_33]) && (x_O_1 = x_O_3[ri_33]) then r_3[u_33] else r_1 <-R eae_output_t; r_1); + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + zz_11: eae_output_t <- (x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); {246}find [unique] u_30 = ri_30 <= Qeperuser, u_31 = ri_31 <= N suchthat defined(x_O[ri_30, ri_31], r[ri_30, ri_31]) && (x_O = x_O[ri_30, ri_31]) then r[u_30, u_31] orfind u_26 = ri_26 <= Qdperuser, u_27 = ri_27 <= N suchthat defined(x_O_2[ri_26, ri_27], r_2[ri_26, ri_27]) && (x_O = x_O_2[ri_26, ri_27]) then r_2[u_26, u_27] orfind u_25 = ri_25 <= Qh suchthat defined(x_O_3[ri_25], r_3[ri_25]) && (x_O = x_O_3[ri_25]) then r_3[u_25] else r <-R eae_output_t; r); + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + zz_3: eae_output_t <- (x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); {424}find [unique] u_22 = ri_22 <= Qeperuser, u_23 = ri_23 <= N suchthat defined(x_O[ri_22, ri_23], r[ri_22, ri_23]) && (x_O_2 = x_O[ri_22, ri_23]) then r[u_22, u_23] orfind u_20 = ri_20 <= Qeperuser, u_21 = ri_21 <= N suchthat defined(x_O_1[ri_20, ri_21], r_1[ri_20, ri_21]) && (x_O_2 = x_O_1[ri_20, ri_21]) then r_1[u_20, u_21] orfind u_18 = ri_18 <= Qdperuser, u_19 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && (x_O_2 = x_O_2[ri_18, ri_19]) then r_2[u_18, u_19] orfind u_17 = ri_17 <= Qh suchthat defined(x_O_3[ri_17], r_3[ri_17]) && (x_O_2 = x_O_3[ri_17]) then r_3[u_17] else r_2 <-R eae_output_t; r_2); + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + return((x_O_3: eae_input_t <- x1; find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && (x_O_3 = x_O[ri_14, ri_15]) then r[u_14, u_15] orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && (x_O_3 = x_O_1[ri_12, ri_13]) then r_1[u_12, u_13] orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && (x_O_3 = x_O_2[ri_10, ri_11]) then r_2[u_10, u_11] orfind u_9 = ri_9 <= Qh suchthat defined(x_O_3[ri_9], r_3[ri_9]) && (x_O_3 = x_O_3[ri_9]) then r_3[u_9] else r_3 <-R eae_output_t; r_3)) + else + return((x_O_4: eae_input_t <- x1; find [unique] u = ri <= Qh suchthat defined(x_O_4[ri], r_4[ri]) && (x_O_4 = x_O_4[ri]) then r_4[u] else r_4 <-R eae_output_t; r_4)) + )) + + +Applying expand [probability (2 * #OAEncap^2 + #OAEncap * N + #OAEncap * #OADecap + N^2) * PCollKey] + - Expand if/find/let + - Remove branch 2 in find at 424 + - Remove branch 1 in find at 424 + - Remove branch 2 in find at 246 + - Remove branch 1 in find at 246 + - Remove branch 2 in find at 104 + - Remove branch 1 in find at 104 +yields + +Game 23 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_33 = ri_33 <= Qh suchthat defined(x_O_3[ri_33], r_3[ri_33]) && (x_O_1 = x_O_3[ri_33]) then + zz_10: eae_output_t <- r_3[u_33]; + return(AuthEncap_tuple(zz_10, enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(zz_10, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_25 = ri_25 <= Qh suchthat defined(x_O_3[ri_25], r_3[ri_25]) && (x_O = x_O_3[ri_25]) then + zz_11: eae_output_t <- r_3[u_25]; + return(AuthEncap_tuple(zz_11, enc_9)) + else + r <-R eae_output_t; + zz_11: eae_output_t <- r; + return(AuthEncap_tuple(zz_11, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); + find [unique] u_18 = ri_18 <= Qdperuser, u_19 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && (x_O_2 = x_O_2[ri_18, ri_19]) then + zz_3: eae_output_t <- r_2[u_18, u_19]; + return(AuthDecap_Some(zz_3)) + orfind u_17 = ri_17 <= Qh suchthat defined(x_O_3[ri_17], r_3[ri_17]) && (x_O_2 = x_O_3[ri_17]) then + zz_3: eae_output_t <- r_3[u_17]; + return(AuthDecap_Some(zz_3)) + else + r_2 <-R eae_output_t; + zz_3: eae_output_t <- r_2; + return(AuthDecap_Some(zz_3)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_3: eae_input_t <- x1; + find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && (x_O_3 = x_O[ri_14, ri_15]) then + return(r[u_14, u_15]) + orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && (x_O_3 = x_O_1[ri_12, ri_13]) then + return(r_1[u_12, u_13]) + orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && (x_O_3 = x_O_2[ri_10, ri_11]) then + return(r_2[u_10, u_11]) + orfind u_9 = ri_9 <= Qh suchthat defined(x_O_3[ri_9], r_3[ri_9]) && (x_O_3 = x_O_3[ri_9]) then + return(r_3[u_9]) + else + r_3 <-R eae_output_t; + return(r_3) + else + x_O_4: eae_input_t <- x1; + find [unique] u = ri <= Qh suchthat defined(x_O_4[ri], r_4[ri]) && (x_O_4 = x_O_4[ri]) then + return(r_4[u]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_O_4 (definition point kept, all usages removed) + - Remove assignments on x_O_3 (definition point kept, all usages removed) + - Remove assignments on zz_3 (definition removed, all usages removed) + - Remove assignments on zz_3 (definition removed, all usages removed) + - Remove assignments on zz_3 (definition removed, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on zz_11 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition kept, array references kept) + - Remove assignments on zz_10 (definition kept, array references kept) +yields + +Game 24 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + {103} find [unique] u_33 = ri_33 <= Qh suchthat defined(x1[ri_33], x_O_3[ri_33], r_3[ri_33]) && {107}(x_O_1 = x1[ri_33]) then + zz_10: eae_output_t <- r_3[u_33]; + return(AuthEncap_tuple(r_3[u_33], enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + {224} find [unique] u_25 = ri_25 <= Qh suchthat defined(x1[ri_25], x_O_3[ri_25], r_3[ri_25]) && {228}(x_O = x1[ri_25]) then + return(AuthEncap_tuple(r_3[u_25], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); + {370} find [unique] u_18 = ri_18 <= Qdperuser, u_19 = ri_19 <= N suchthat defined(x_O_2[ri_18, ri_19], r_2[ri_18, ri_19]) && {375}(x_O_2 = x_O_2[ri_18, ri_19]) then + return(AuthDecap_Some(r_2[u_18, u_19])) + orfind u_17 = ri_17 <= Qh suchthat defined(x1[ri_17], x_O_3[ri_17], r_3[ri_17]) && {396}(x_O_2 = x1[ri_17]) then + return(AuthDecap_Some(r_3[u_17])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_3: eae_input_t <- cst_eae_input_t; + {445} find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(x_O[ri_14, ri_15], r[ri_14, ri_15]) && {450}(x1 = x_O[ri_14, ri_15]) then + return(r[u_14, u_15]) + orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(x_O_1[ri_12, ri_13], r_1[ri_12, ri_13]) && {468}(x1 = x_O_1[ri_12, ri_13]) then + return(r_1[u_12, u_13]) + orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(x_O_2[ri_10, ri_11], r_2[ri_10, ri_11]) && {486}(x1 = x_O_2[ri_10, ri_11]) then + return(r_2[u_10, u_11]) + orfind u_9 = ri_9 <= Qh suchthat defined(x1[ri_9], x_O_3[ri_9], r_3[ri_9]) && {503}(x1 = x1[ri_9]) then + return(r_3[u_9]) + else + r_3 <-R eae_output_t; + return(r_3) + else + x_O_4: eae_input_t <- cst_eae_input_t; + {523} find [unique] u = ri <= Qh suchthat defined(x1[ri], x_O_4[ri], r_4[ri]) && (x1 = x1[ri]) then + return(r_4[u]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced defined condition x1[ri], x_O_4[ri], r_4[ri] with r_4[ri], x1[ri] in find at 523 + - Replaced (x1 = x1[ri_9]) with ((pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9])) at 503 + - Replaced defined condition x1[ri_9], x_O_3[ri_9], r_3[ri_9] with r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9] in find at 445 + - Replaced (x1 = x_O_2[ri_10, ri_11]) with ((pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 486 + - Replaced defined condition x_O_2[ri_10, ri_11], r_2[ri_10, ri_11] with r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11] in find at 445 + - Replaced (x1 = x_O_1[ri_12, ri_13]) with ((pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 468 + - Replaced defined condition x_O_1[ri_12, ri_13], r_1[ri_12, ri_13] with r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13] in find at 445 + - Replaced (x1 = x_O[ri_14, ri_15]) with ((pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty)) at 450 + - Replaced defined condition x_O[ri_14, ri_15], r[ri_14, ri_15] with r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15] in find at 445 + - Replaced (x_O_2 = x1[ri_17]) with ((pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17])) at 396 + - Replaced defined condition x1[ri_17], x_O_3[ri_17], r_3[ri_17] with r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17] in find at 370 + - Replaced (x_O_2 = x_O_2[ri_18, ri_19]) with ((pk_S = pk_S[ri_18, ri_19]) && (i = ri_19) && (pkE_3 = pkE_3[ri_18, ri_19])) at 375 + - In branch 1 of find at 370, substituting u_19 with i + - Replaced defined condition x_O_2[ri_18, ri_19], r_2[ri_18, ri_19] with r_2[ri_18], pkE_3[ri_18], pk_S[ri_18] in find at 370 + - Replaced (x_O = x1[ri_25]) with ((pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25])) at 228 + - Replaced defined condition x1[ri_25], x_O_3[ri_25], r_3[ri_25] with r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25] in find at 224 + - Replaced (x_O_1 = x1[ri_33]) with ((pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33])) at 107 + - Replaced defined condition x1[ri_33], x_O_3[ri_33], r_3[ri_33] with r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33] in find at 103 +yields + +Game 25 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then + zz_10: eae_output_t <- r_3[u_33]; + return(AuthEncap_tuple(r_3[u_33], enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then + return(AuthEncap_tuple(r_3[u_25], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); + find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && {557}((pk_S = pk_S[ri_18]) && (i = i) && (pkE_3 = pkE_3[ri_18])) then + u_19 <= N <- i; + return(AuthDecap_Some(r_2[u_18])) + orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then + return(AuthDecap_Some(r_3[u_17])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_3: eae_input_t <- cst_eae_input_t; + find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_14, u_15]) + orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_12, u_13]) + orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_10, u_11]) + orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_9]) + else + r_3 <-R eae_output_t; + return(r_3) + else + x_O_4: eae_input_t <- cst_eae_input_t; + find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying simplify + - Simplification pass + - Replaced ((pk_S = pk_S[ri_18]) && (i = i) && (pkE_3 = pkE_3[ri_18])) with ((pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18])) at 557 +yields + +Game 26 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + kemContext_10: GGG_t <- concatContext(pkE_10, pk_R, pkS_4); + key_5: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_10); + info_5: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_10); + x_O_1: eae_input_t <- eae_input(lbytes_empty, key_5, info_5); + find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then + zz_10: eae_output_t <- r_3[u_33]; + return(AuthEncap_tuple(r_3[u_33], enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + kemContext_11: GGG_t <- concatContext(pkE_11, pk_R, pkS_5); + key_6: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_11); + info_6: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_11); + x_O: eae_input_t <- eae_input(lbytes_empty, key_6, info_6); + find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then + return(AuthEncap_tuple(r_3[u_25], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + kemContext_3: GGG_t <- concatContext(pkE_3, pkR_1, pk_S); + key_1: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_3); + info_1: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_3); + x_O_2: eae_input_t <- eae_input(lbytes_empty, key_1, info_1); + find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then + u_19 <= N <- i; + return(AuthDecap_Some(r_2[u_18])) + orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then + return(AuthDecap_Some(r_3[u_17])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + x_O_3: eae_input_t <- cst_eae_input_t; + find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_14, u_15]) + orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_12, u_13]) + orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_10, u_11]) + orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_9]) + else + r_3 <-R eae_output_t; + return(r_3) + else + x_O_4: eae_input_t <- cst_eae_input_t; + find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying move all binders + - Move assignment to x_O_4 + - Move assignment to x_O_3 + - Move assignment to x_O_2 + - Move assignment to info_1 + - Move assignment to key_1 + - Move assignment to kemContext_3 + - Move assignment to x_O + - Move assignment to info_6 + - Move assignment to key_6 + - Move assignment to kemContext_11 + - Move assignment to x_O_1 + - Move assignment to info_5 + - Move assignment to key_5 + - Move assignment to kemContext_10 +yields + +Game 27 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + dh_10: GG_t <- concatDH(exp(g, mult(sk[i1_6], z_5)), exp(g, mult(sk[i1_6], sk))); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then + zz_10: eae_output_t <- r_3[u_33]; + return(AuthEncap_tuple(r_3[u_33], enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + dh_11: GG_t <- concatDH(exp(pk_R, z_6), exp(pk_R, sk)); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then + return(AuthEncap_tuple(r_3[u_25], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + dh_3: GG_t <- concatDH(exp(pkE_3, sk), exp(pk_S, sk)); + pkR_1: G_t <- exp(g, sk); + find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then + u_19 <= N <- i; + return(AuthDecap_Some(r_2[u_18])) + orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then + return(AuthDecap_Some(r_3[u_17])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_14, u_15]) + orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_12, u_13]) + orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_10, u_11]) + orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_9]) + else + r_3 <-R eae_output_t; + return(r_3) + else + find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying remove assignments of findcond + - Remove assignments on dh_3 (definition removed, all usages removed) + - Remove assignments on u_19 (definition removed, all usages removed) + - Remove assignments on dh_11 (definition removed, all usages removed) + - Remove assignments on dh_10 (definition removed, all usages removed) +yields + +Game 28 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (exp(g, mult(sk[i1_6], sk)) = dh2[ri_33]) && (exp(g, mult(sk[i1_6], z_5)) = dh1[ri_33]) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then + zz_10: eae_output_t <- r_3[u_33]; + return(AuthEncap_tuple(r_3[u_33], enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (exp(pk_R, sk) = dh2[ri_25]) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then + return(AuthEncap_tuple(r_3[u_25], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + pkR_1: G_t <- exp(g, sk); + find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then + return(AuthDecap_Some(r_2[u_18])) + orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (exp(pk_S, sk) = dh2[ri_17]) && (exp(pkE_3, sk) = dh1[ri_17]) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then + return(AuthDecap_Some(r_3[u_17])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_14, u_15]) + orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], z_5[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13]))) && (dh1 = exp(g, mult(sk[i1_6[ri_12, ri_13]], z_5[ri_12, ri_13]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_12, u_13]) + orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_10, u_11]) + orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_9]) + else + r_3 <-R eae_output_t; + return(r_3) + else + find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying equivalence gdh(exp) with variables: sk -> a, z_5 -> b [probability Adv_GDH(time_1, 5 * Qh) + (#OAEncap + N) * PDistRerandom + (2 * #OAEncap^2 + N^2) * PCollKey] + - Equivalence gdh(exp) with variables: sk -> a, z_5 -> b +yields + +Game 29 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_1: G_t <- pk_R; (m_1 = exp(g, sk[i1_7]))) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + {49} find [unique] u_33 = ri_33 <= Qh suchthat defined(r_3[ri_33], salt[ri_33], protocol1[ri_33], suite1[ri_33], label1[ri_33], dh1[ri_33], dh2[ri_33], l[ri_33], protocol2[ri_33], suite2[ri_33], label2[ri_33], pkE'[ri_33], pkR'[ri_33], pkS'[ri_33]) && (pkS_4 = pkS'[ri_33]) && (pk_R = pkR'[ri_33]) && (pkE_10 = pkE'[ri_33]) && (label_shared_secret = label2[ri_33]) && (suite_id = suite2[ri_33]) && (RFCXXXX = protocol2[ri_33]) && (I2OSP2(Nsecret) = l[ri_33]) && (m_10: G_t <- dh2[ri_33]; (m_10 = exp(g, mult(sk[i1_6], sk)))) && (m_5: G_t <- dh1[ri_33]; false) && (label_eae_prk = label1[ri_33]) && (suite_id = suite1[ri_33]) && (RFCXXXX = protocol1[ri_33]) && (lbytes_empty = salt[ri_33]) then + zz_10: eae_output_t <- r_3[u_33]; + return(AuthEncap_tuple(r_3[u_33], enc_8)) + else + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (m: G_t <- dh2[ri_25]; m': G_t <- pk_R; (m = exp(m', sk))) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then + return(AuthEncap_tuple(r_3[u_25], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (m_13: G_t <- pk_S; (m_13 = exp(g, sk[i1_9]))) && (enc_8[ie1_3, i1_9] = enc_2) then + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + pkR_1: G_t <- exp(g, sk); + find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then + return(AuthDecap_Some(r_2[u_18])) + orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (m_12: G_t <- dh2[ri_17]; m'_3: G_t <- pk_S; (m_12 = exp(m'_3, sk))) && (m_11: G_t <- dh1[ri_17]; m'_2: G_t <- pkE_3; (m_11 = exp(m'_2, sk))) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then + return(AuthDecap_Some(r_3[u_17])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + {575} find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14: G_t <- dh2; m'_4: G_t <- pk_R[ri_14, ri_15]; (m_14 = exp(m'_4, sk[ri_15]))) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_14, u_15]) + orfind u_12 = ri_12 <= Qeperuser, u_13 = ri_13 <= N suchthat defined(r_1[ri_12, ri_13], sk[ri_13], sk[i1_6[ri_12, ri_13]], pkE_10[ri_12, ri_13], pk_R[ri_12, ri_13], pkS_4[ri_12, ri_13]) && (pkS' = pkS_4[ri_12, ri_13]) && (pkR' = pk_R[ri_12, ri_13]) && (pkE' = pkE_10[ri_12, ri_13]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_21: G_t <- dh2; (m_21 = exp(g, mult(sk[i1_6[ri_12, ri_13]], sk[ri_13])))) && (m_16: G_t <- dh1; false) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_1[u_12, u_13]) + orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_23: G_t <- dh2; m'_6: G_t <- pk_S[ri_10, ri_11]; (m_23 = exp(m'_6, sk[ri_11]))) && (m_22: G_t <- dh1; m'_5: G_t <- pkE_3[ri_10, ri_11]; (m_22 = exp(m'_5, sk[ri_11]))) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_10, u_11]) + orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_9]) + else + r_3 <-R eae_output_t; + return(r_3) + else + find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying expand + - Expand if/find/let + - Remove branch 2 in find at 575 + - Remove branch 1 in find at 49 + - Find at 49 removed (else branch kept if any) +yields + +Game 30 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (m_1: G_t <- pk_R; (m_1 = exp(g, sk[i1_7]))) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + enc_8: bitstring <- Serialize(pkE_10); + pkS_4: G_t <- exp(g, sk); + r_1 <-R eae_output_t; + zz_10: eae_output_t <- r_1; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (m: G_t <- dh2[ri_25]; m': G_t <- pk_R; ((pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (m = exp(m', sk)) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]))) then + return(AuthEncap_tuple(r_3[u_25], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(zz_10[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (m_13: G_t <- pk_S; ((i = i1_6[ie1_3, i1_9]) && (m_13 = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2))) then + return(AuthDecap_Some(zz_10[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + pkR_1: G_t <- exp(g, sk); + find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then + return(AuthDecap_Some(r_2[u_18])) + orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (m_12: G_t <- dh2[ri_17]; m'_3: G_t <- pk_S; m_11: G_t <- dh1[ri_17]; m'_2: G_t <- pkE_3; ((pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (m_12 = exp(m'_3, sk)) && (m_11 = exp(m'_2, sk)) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]))) then + return(AuthDecap_Some(r_3[u_17])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (m_14: G_t <- dh2; m'_4: G_t <- pk_R[ri_14, ri_15]; ((pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_14 = exp(m'_4, sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r[u_14, u_15]) + orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (m_23: G_t <- dh2; m'_6: G_t <- pk_S[ri_10, ri_11]; m_22: G_t <- dh1; m'_5: G_t <- pkE_3[ri_10, ri_11]; ((pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (m_23 = exp(m'_6, sk[ri_11])) && (m_22 = exp(m'_5, sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty))) then + return(r_2[u_10, u_11]) + orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_9]) + else + r_3 <-R eae_output_t; + return(r_3) + else + find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + + +Applying remove assignments of findcond + - Remove assignments on m_14 (definition removed, all usages removed) + - Remove assignments on m'_4 (definition removed, all usages removed) + - Remove assignments on m_23 (definition removed, all usages removed) + - Remove assignments on m'_6 (definition removed, all usages removed) + - Remove assignments on m_22 (definition removed, all usages removed) + - Remove assignments on m'_5 (definition removed, all usages removed) + - Remove assignments on m_12 (definition removed, all usages removed) + - Remove assignments on m'_3 (definition removed, all usages removed) + - Remove assignments on m_11 (definition removed, all usages removed) + - Remove assignments on m'_2 (definition removed, all usages removed) + - Remove assignments on m_13 (definition removed, all usages removed) + - Remove assignments on m (definition removed, all usages removed) + - Remove assignments on m' (definition removed, all usages removed) + - Remove assignments on pkS_4 (definition removed, all usages removed) + - Remove assignments on zz_10 (definition removed, all usages removed) + - Remove assignments on m_1 (definition removed, all usages removed) +yields + +Game 31 is + Ostart() := + return(); + (( + foreach i <= N do + Osetup() := + sk <-R Z_t; + return(); + (( + foreach ie <= Qeperuser do + OAEncap(pk_R: G_t) := + find i1_6 = i1_7 <= N suchthat defined(sk[i1_7]) && (pk_R = exp(g, sk[i1_7])) then + z_5 <-R Z_t; + pkE_10: G_t <- exp(g, z_5); + enc_8: bitstring <- Serialize(pkE_10); + r_1 <-R eae_output_t; + return(AuthEncap_tuple(r_1, enc_8)) + else + z_6 <-R Z_t; + pkE_11: G_t <- exp(g, z_6); + enc_9: bitstring <- Serialize(pkE_11); + pkS_5: G_t <- exp(g, sk); + find [unique] u_25 = ri_25 <= Qh suchthat defined(r_3[ri_25], salt[ri_25], protocol1[ri_25], suite1[ri_25], label1[ri_25], dh1[ri_25], dh2[ri_25], l[ri_25], protocol2[ri_25], suite2[ri_25], label2[ri_25], pkE'[ri_25], pkR'[ri_25], pkS'[ri_25]) && (pkS_5 = pkS'[ri_25]) && (pk_R = pkR'[ri_25]) && (pkE_11 = pkE'[ri_25]) && (label_shared_secret = label2[ri_25]) && (suite_id = suite2[ri_25]) && (RFCXXXX = protocol2[ri_25]) && (I2OSP2(Nsecret) = l[ri_25]) && (dh2[ri_25] = exp(pk_R, sk)) && (exp(pk_R, z_6) = dh1[ri_25]) && (label_eae_prk = label1[ri_25]) && (suite_id = suite1[ri_25]) && (RFCXXXX = protocol1[ri_25]) && (lbytes_empty = salt[ri_25]) then + return(AuthEncap_tuple(r_3[u_25], enc_9)) + else + r <-R eae_output_t; + return(AuthEncap_tuple(r, enc_9)) + ) | ( + foreach id <= Qdperuser do + OADecap(pk_S: G_t, enc_2: bitstring) := + find ie1_2 = ie1_3 <= Qeperuser, i1_8 = i1_9 <= N suchthat defined(r_1[ie1_3, i1_9], enc_8[ie1_3, i1_9], sk[i1_9], i1_6[ie1_3, i1_9]) && (i = i1_6[ie1_3, i1_9]) && (pk_S = exp(g, sk[i1_9])) && (enc_8[ie1_3, i1_9] = enc_2) then + return(AuthDecap_Some(r_1[ie1_2, i1_8])) + else + let Serialize(pkE_3: G_t) = enc_2 in + pkR_1: G_t <- exp(g, sk); + find [unique] u_18 = ri_18 <= Qdperuser suchthat defined(r_2[ri_18], pkE_3[ri_18], pk_S[ri_18]) && (pk_S = pk_S[ri_18]) && (pkE_3 = pkE_3[ri_18]) then + return(AuthDecap_Some(r_2[u_18])) + orfind u_17 = ri_17 <= Qh suchthat defined(r_3[ri_17], salt[ri_17], protocol1[ri_17], suite1[ri_17], label1[ri_17], dh1[ri_17], dh2[ri_17], l[ri_17], protocol2[ri_17], suite2[ri_17], label2[ri_17], pkE'[ri_17], pkR'[ri_17], pkS'[ri_17]) && (pk_S = pkS'[ri_17]) && (pkR_1 = pkR'[ri_17]) && (pkE_3 = pkE'[ri_17]) && (label_shared_secret = label2[ri_17]) && (suite_id = suite2[ri_17]) && (RFCXXXX = protocol2[ri_17]) && (I2OSP2(Nsecret) = l[ri_17]) && (dh2[ri_17] = exp(pk_S, sk)) && (dh1[ri_17] = exp(pkE_3, sk)) && (label_eae_prk = label1[ri_17]) && (suite_id = suite1[ri_17]) && (RFCXXXX = protocol1[ri_17]) && (lbytes_empty = salt[ri_17]) then + return(AuthDecap_Some(r_3[u_17])) + else + r_2 <-R eae_output_t; + return(AuthDecap_Some(r_2)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk)) + )) + ) | ( + foreach iH <= Qh do + OH(x1: eae_input_t) := + let eae_input(salt: extract_salt_t, concatExtract(protocol1: label_protocol_t, suite1: suite_id_t, label1: label_extract_t, concatDH(dh1: G_t, dh2: G_t)), concatExpand(l: two_byte_t, protocol2: label_protocol_t, suite2: suite_id_t, label2: label_expand_t, concatContext(pkE': G_t, pkR': G_t, pkS': G_t))) = x1 in + find [unique] u_14 = ri_14 <= Qeperuser, u_15 = ri_15 <= N suchthat defined(r[ri_14, ri_15], z_6[ri_14, ri_15], sk[ri_15], pkE_11[ri_14, ri_15], pk_R[ri_14, ri_15], pkS_5[ri_14, ri_15]) && (pkS' = pkS_5[ri_14, ri_15]) && (pkR' = pk_R[ri_14, ri_15]) && (pkE' = pkE_11[ri_14, ri_15]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_R[ri_14, ri_15], sk[ri_15])) && (dh1 = exp(pk_R[ri_14, ri_15], z_6[ri_14, ri_15])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r[u_14, u_15]) + orfind u_10 = ri_10 <= Qdperuser, u_11 = ri_11 <= N suchthat defined(r_2[ri_10, ri_11], sk[ri_11], pkE_3[ri_10, ri_11], pkR_1[ri_10, ri_11], pk_S[ri_10, ri_11]) && (pkS' = pk_S[ri_10, ri_11]) && (pkR' = pkR_1[ri_10, ri_11]) && (pkE' = pkE_3[ri_10, ri_11]) && (label2 = label_shared_secret) && (suite2 = suite_id) && (protocol2 = RFCXXXX) && (l = I2OSP2(Nsecret)) && (dh2 = exp(pk_S[ri_10, ri_11], sk[ri_11])) && (dh1 = exp(pkE_3[ri_10, ri_11], sk[ri_11])) && (label1 = label_eae_prk) && (suite1 = suite_id) && (protocol1 = RFCXXXX) && (salt = lbytes_empty) then + return(r_2[u_10, u_11]) + orfind u_9 = ri_9 <= Qh suchthat defined(r_3[ri_9], salt[ri_9], protocol1[ri_9], suite1[ri_9], label1[ri_9], dh1[ri_9], dh2[ri_9], l[ri_9], protocol2[ri_9], suite2[ri_9], label2[ri_9], pkE'[ri_9], pkR'[ri_9], pkS'[ri_9]) && (pkS' = pkS'[ri_9]) && (pkR' = pkR'[ri_9]) && (pkE' = pkE'[ri_9]) && (label2 = label2[ri_9]) && (suite2 = suite2[ri_9]) && (protocol2 = protocol2[ri_9]) && (l = l[ri_9]) && (dh2 = dh2[ri_9]) && (dh1 = dh1[ri_9]) && (label1 = label1[ri_9]) && (suite1 = suite1[ri_9]) && (protocol1 = protocol1[ri_9]) && (salt = salt[ri_9]) then + return(r_3[u_9]) + else + r_3 <-R eae_output_t; + return(r_3) + else + find [unique] u = ri <= Qh suchthat defined(r_4[ri], x1[ri]) && (x1 = x1[ri]) then + return(r_4[u]) + else + r_4 <-R eae_output_t; + return(r_4) + )) + +Initial state +Game 32 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = (exponent_15: Z_t <- sk_1[i1]; exp(g, exponent_15))) then + {33} let AuthEncap_tuple(k: eae_output_t, ce: bitstring) = (skS_1: Z_t <- sk_1; {37}let (skE_1: Z_t, pkE_8: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_8: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_7: bitstring <- Serialize(pkE_8); pkS_3: G_t <- exp(g, skS_1); kemContext_8: GGG_t <- concatContext(pkE_8, pk_R_1, pkS_3); zz_8: eae_output_t <- (key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_3, info_3))); AuthEncap_tuple(zz_8, enc_7) else AuthEncap_None) in + k' <-R eae_output_t; + return(AuthEncap_tuple(k', ce)) + else + return(AuthEncap_None) + else + return((skS_1: Z_t <- sk_1; {143}let (skE_1: Z_t, pkE_7: G_t) = (z_1 <-R Z_t; (z_1, exp(g, z_1))) in dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); enc_6: bitstring <- Serialize(pkE_7); pkS_2: G_t <- exp(g, skS_1); kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); zz_7: eae_output_t <- (key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2))); AuthEncap_tuple(zz_7, enc_6) else AuthEncap_None)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(sk_1[i1_2], pk_R_1[ie1, i1_2], k'[ie1, i1_2], ce[ie1, i1_2]) && (exp(g, sk_1) = pk_R_1[ie1, i1_2]) && ((exponent_16: Z_t <- sk_1[i1_2]; exp(g, exponent_16)) = pk_S_1) && (ce[ie1, i1_2] = cd) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + return((skR_1: Z_t <- sk_1; let Serialize(pkE_9: G_t) = cd in dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); pkR_4: G_t <- exp(g, skR_1); kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); zz_9: eae_output_t <- (key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4))); AuthDecap_Some(zz_9) else AuthDecap_None)) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying expand [probability N^2 * PCollKey] + - Expand if/find/let + - Simplify pattern (skE_1: Z_t, pkE_7: G_t) (tuple expanded) at 143 + - Remove else branch of let at 143 + - Simplify pattern (skE_1: Z_t, pkE_8: G_t) (tuple expanded) at 37 + - Remove else branch of let at 37 + - Simplify pattern AuthEncap_tuple(k: eae_output_t, ce: bitstring) (tuple expanded) at 33 + - Remove else branch of let at 33 +yields + +Game 33 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (exponent_15: Z_t <- sk_1[i1]; (pk_R_1 = exp(g, exponent_15))) then + skS_1: Z_t <- sk_1; + z_1 <-R Z_t; + pkE_8: G_t <- exp(g, z_1); + skE_1: Z_t <- z_1; + dh_8: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); + enc_7: bitstring <- Serialize(pkE_8); + pkS_3: G_t <- exp(g, skS_1); + kemContext_8: GGG_t <- concatContext(pkE_8, pk_R_1, pkS_3); + key_3: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_8); + info_3: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_8); + zz_8: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_3, info_3)); + ce: bitstring <- enc_7; + k: eae_output_t <- zz_8; + k' <-R eae_output_t; + return(AuthEncap_tuple(k', ce)) + else + skS_1: Z_t <- sk_1; + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + skE_1: Z_t <- z_1; + dh_7: GG_t <- concatDH(exp(pk_R_1, skE_1), exp(pk_R_1, skS_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, skS_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(sk_1[i1_2], pk_R_1[ie1, i1_2], k'[ie1, i1_2], ce[ie1, i1_2]) && (exponent_16: Z_t <- sk_1[i1_2]; ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, exponent_16) = pk_S_1) && (ce[ie1, i1_2] = cd))) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + skR_1: Z_t <- sk_1; + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, skR_1), exp(pk_S_1, skR_1)); + pkR_4: G_t <- exp(g, skR_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR_1 (definition removed, all usages removed) + - Remove assignments on exponent_16 (definition removed, all usages removed) + - Remove assignments on skS_1 (definition removed, all usages removed) + - Remove assignments on skE_1 (definition removed, all usages removed) + - Remove assignments on skS_1 (definition removed, all usages removed) + - Remove assignments on skE_1 (definition removed, all usages removed) + - Remove assignments on ce (definition removed, all usages removed) + - Remove assignments on k (definition removed, all usages removed) + - Remove assignments on exponent_15 (definition removed, all usages removed) + - Remove assignments on zz_8 (definition removed, all usages removed) + - Remove assignments on key_3 (definition removed, all usages removed) + - Remove assignments on info_3 (definition removed, all usages removed) + - Remove assignments on dh_8 (definition removed, all usages removed) + - Remove assignments on kemContext_8 (definition removed, all usages removed) + - Remove assignments on pkS_3 (definition removed, all usages removed) +yields + +Game 34 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_1 <-R Z_t; + pkE_8: G_t <- exp(g, z_1); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + {147} find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2], k'[ie1, i1_2]) && {155}((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd)) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced ((exp(g, sk_1) = pk_R_1[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd)) with ((i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd)) at 155 + - Replaced defined condition enc_7[ie1, i1_2], sk_1[i1_2], pk_R_1[ie1, i1_2], k'[ie1, i1_2] with k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2] in find at 147 +yields + +Game 35 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_1 <-R Z_t; + pkE_8: G_t <- exp(g, z_1); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_1 <-R Z_t; + pkE_7: G_t <- exp(g, z_1); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_1), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying remove assignments of findcond + - Rename variable z_1 into z_4, z_3 +yields + +Game 36 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + {280} return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying insert instruction let eae_input( + salt: extract_salt_t, + concatExtract( + protocol1: label_protocol_t, + suite1: suite_id_t, + label1: label_extract_t, + concatDH(dh1: G_t, dh2: G_t)), + concatExpand(l: two_byte_t, + protocol2: label_protocol_t, + suite2: suite_id_t, + label2: label_expand_t, + concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in at occurrence 280 +yields + +Game 37 is + Ostart() := + key_extr_11 <-R hash_key_t; + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_2, info_2)); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- ExtractAndExpand_inner(key_extr_11, eae_input(lbytes_empty, key_4, info_4)); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + else + return(ExtractAndExpand_inner(key_extr_11, x1_1)) + )) + + +Applying equivalence rom(ExtractAndExpand_inner) + - Equivalence rom(ExtractAndExpand_inner) with variables: key_extr_11 -> hk +yields + +Game 38 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- (x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {123}find [unique] u_62 = ri_62 <= Qeperuser, u_63 = ri_63 <= N suchthat defined(x_O_5[ri_62, ri_63], r_5[ri_62, ri_63]) && (x_O_5 = x_O_5[ri_62, ri_63]) then r_5[u_62, u_63] orfind u_60 = ri_60 <= Qdperuser, u_61 = ri_61 <= N suchthat defined(x_O_6[ri_60, ri_61], r_6[ri_60, ri_61]) && (x_O_5 = x_O_6[ri_60, ri_61]) then r_6[u_60, u_61] orfind u_59 = ri_59 <= Qh suchthat defined(x_O_7[ri_59], r_7[ri_59]) && (x_O_5 = x_O_7[ri_59]) then r_7[u_59] orfind u_58 = ri_58 <= Qh suchthat defined(x_O_8[ri_58], r_8[ri_58]) && {174}(x_O_5 = x_O_8[ri_58]) then r_8[u_58] else r_5 <-R eae_output_t; r_5); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {313}find [unique] u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_5[ri_56, ri_57], r_5[ri_56, ri_57]) && (x_O_6 = x_O_5[ri_56, ri_57]) then r_5[u_56, u_57] orfind u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && (x_O_6 = x_O_6[ri_54, ri_55]) then r_6[u_54, u_55] orfind u_53 = ri_53 <= Qh suchthat defined(x_O_7[ri_53], r_7[ri_53]) && (x_O_6 = x_O_7[ri_53]) then r_7[u_53] orfind u_52 = ri_52 <= Qh suchthat defined(x_O_8[ri_52], r_8[ri_52]) && {364}(x_O_6 = x_O_8[ri_52]) then r_8[u_52] else r_6 <-R eae_output_t; r_6); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return((x_O_7: eae_input_t <- x1_1; {415}find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && (x_O_7 = x_O_5[ri_50, ri_51]) then r_5[u_50, u_51] orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && (x_O_7 = x_O_6[ri_48, ri_49]) then r_6[u_48, u_49] orfind u_47 = ri_47 <= Qh suchthat defined(x_O_7[ri_47], r_7[ri_47]) && (x_O_7 = x_O_7[ri_47]) then r_7[u_47] orfind u_46 = ri_46 <= Qh suchthat defined(x_O_8[ri_46], r_8[ri_46]) && {458}(x_O_7 = x_O_8[ri_46]) then r_8[u_46] else r_7 <-R eae_output_t; r_7)) + else + return((x_O_8: eae_input_t <- x1_1; {475}find [unique] u_44 = ri_44 <= Qeperuser, u_45 = ri_45 <= N suchthat defined(x_O_5[ri_44, ri_45], r_5[ri_44, ri_45]) && {480}(x_O_8 = x_O_5[ri_44, ri_45]) then r_5[u_44, u_45] orfind u_42 = ri_42 <= Qdperuser, u_43 = ri_43 <= N suchthat defined(x_O_6[ri_42, ri_43], r_6[ri_42, ri_43]) && {495}(x_O_8 = x_O_6[ri_42, ri_43]) then r_6[u_42, u_43] orfind u_41 = ri_41 <= Qh suchthat defined(x_O_7[ri_41], r_7[ri_41]) && {508}(x_O_8 = x_O_7[ri_41]) then r_7[u_41] orfind u_40 = ri_40 <= Qh suchthat defined(x_O_8[ri_40], r_8[ri_40]) && (x_O_8 = x_O_8[ri_40]) then r_8[u_40] else r_8 <-R eae_output_t; r_8)) + )) + + +Applying simplify (non-expanded game) [probability (N^2 + #OAEncap^2) * PCollKey] + - Simplification pass + - Replaced (x_O_5 = x_O_8[ri_58]) with false at 174 + - Remove branch 4 in find at 123 + - Replaced (x_O_6 = x_O_8[ri_52]) with false at 364 + - Remove branch 4 in find at 313 + - Replaced (x_O_7 = x_O_8[ri_46]) with false at 458 + - Remove branch 4 in find at 415 + - Replaced (x_O_8 = x_O_7[ri_41]) with false at 508 + - Remove branch 3 in find at 475 + - Replaced (x_O_8 = x_O_6[ri_42, ri_43]) with false at 495 + - Remove branch 2 in find at 475 + - Replaced (x_O_8 = x_O_5[ri_44, ri_45]) with false at 480 + - Remove branch 1 in find at 475 +yields + +Game 39 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + zz_7: eae_output_t <- (x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); {123}find [unique] u_62 = ri_62 <= Qeperuser, u_63 = ri_63 <= N suchthat defined(x_O_5[ri_62, ri_63], r_5[ri_62, ri_63]) && (x_O_5 = x_O_5[ri_62, ri_63]) then r_5[u_62, u_63] orfind u_60 = ri_60 <= Qdperuser, u_61 = ri_61 <= N suchthat defined(x_O_6[ri_60, ri_61], r_6[ri_60, ri_61]) && (x_O_5 = x_O_6[ri_60, ri_61]) then r_6[u_60, u_61] orfind u_59 = ri_59 <= Qh suchthat defined(x_O_7[ri_59], r_7[ri_59]) && (x_O_5 = x_O_7[ri_59]) then r_7[u_59] else r_5 <-R eae_output_t; r_5); + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + zz_9: eae_output_t <- (x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); {301}find [unique] u_56 = ri_56 <= Qeperuser, u_57 = ri_57 <= N suchthat defined(x_O_5[ri_56, ri_57], r_5[ri_56, ri_57]) && (x_O_6 = x_O_5[ri_56, ri_57]) then r_5[u_56, u_57] orfind u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && (x_O_6 = x_O_6[ri_54, ri_55]) then r_6[u_54, u_55] orfind u_53 = ri_53 <= Qh suchthat defined(x_O_7[ri_53], r_7[ri_53]) && (x_O_6 = x_O_7[ri_53]) then r_7[u_53] else r_6 <-R eae_output_t; r_6); + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + return((x_O_7: eae_input_t <- x1_1; find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && (x_O_7 = x_O_5[ri_50, ri_51]) then r_5[u_50, u_51] orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && (x_O_7 = x_O_6[ri_48, ri_49]) then r_6[u_48, u_49] orfind u_47 = ri_47 <= Qh suchthat defined(x_O_7[ri_47], r_7[ri_47]) && (x_O_7 = x_O_7[ri_47]) then r_7[u_47] else r_7 <-R eae_output_t; r_7)) + else + return((x_O_8: eae_input_t <- x1_1; find [unique] u_40 = ri_40 <= Qh suchthat defined(x_O_8[ri_40], r_8[ri_40]) && (x_O_8 = x_O_8[ri_40]) then r_8[u_40] else r_8 <-R eae_output_t; r_8)) + )) + + +Applying expand [probability (#OAEncap^2 + #OAEncap * N + N^2) * PCollKey] + - Expand if/find/let + - Remove branch 1 in find at 301 + - Remove branch 2 in find at 123 + - Remove branch 1 in find at 123 +yields + +Game 40 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + find [unique] u_59 = ri_59 <= Qh suchthat defined(x_O_7[ri_59], r_7[ri_59]) && (x_O_5 = x_O_7[ri_59]) then + zz_7: eae_output_t <- r_7[u_59]; + return(AuthEncap_tuple(zz_7, enc_6)) + else + r_5 <-R eae_output_t; + zz_7: eae_output_t <- r_5; + return(AuthEncap_tuple(zz_7, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && (x_O_6 = x_O_6[ri_54, ri_55]) then + zz_9: eae_output_t <- r_6[u_54, u_55]; + return(AuthDecap_Some(zz_9)) + orfind u_53 = ri_53 <= Qh suchthat defined(x_O_7[ri_53], r_7[ri_53]) && (x_O_6 = x_O_7[ri_53]) then + zz_9: eae_output_t <- r_7[u_53]; + return(AuthDecap_Some(zz_9)) + else + r_6 <-R eae_output_t; + zz_9: eae_output_t <- r_6; + return(AuthDecap_Some(zz_9)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_7: eae_input_t <- x1_1; + find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && (x_O_7 = x_O_5[ri_50, ri_51]) then + return(r_5[u_50, u_51]) + orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && (x_O_7 = x_O_6[ri_48, ri_49]) then + return(r_6[u_48, u_49]) + orfind u_47 = ri_47 <= Qh suchthat defined(x_O_7[ri_47], r_7[ri_47]) && (x_O_7 = x_O_7[ri_47]) then + return(r_7[u_47]) + else + r_7 <-R eae_output_t; + return(r_7) + else + x_O_8: eae_input_t <- x1_1; + find [unique] u_40 = ri_40 <= Qh suchthat defined(x_O_8[ri_40], r_8[ri_40]) && (x_O_8 = x_O_8[ri_40]) then + return(r_8[u_40]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_O_8 (definition point kept, all usages removed) + - Remove assignments on x_O_7 (definition point kept, all usages removed) + - Remove assignments on zz_9 (definition removed, all usages removed) + - Remove assignments on zz_9 (definition removed, all usages removed) + - Remove assignments on zz_9 (definition removed, all usages removed) + - Remove assignments on zz_7 (definition removed, all usages removed) + - Remove assignments on zz_7 (definition removed, all usages removed) +yields + +Game 41 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + {122} find [unique] u_59 = ri_59 <= Qh suchthat defined(x1_1[ri_59], x_O_7[ri_59], r_7[ri_59]) && {126}(x_O_5 = x1_1[ri_59]) then + return(AuthEncap_tuple(r_7[u_59], enc_6)) + else + r_5 <-R eae_output_t; + return(AuthEncap_tuple(r_5, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + {268} find [unique] u_54 = ri_54 <= Qdperuser, u_55 = ri_55 <= N suchthat defined(x_O_6[ri_54, ri_55], r_6[ri_54, ri_55]) && {273}(x_O_6 = x_O_6[ri_54, ri_55]) then + return(AuthDecap_Some(r_6[u_54, u_55])) + orfind u_53 = ri_53 <= Qh suchthat defined(x1_1[ri_53], x_O_7[ri_53], r_7[ri_53]) && {294}(x_O_6 = x1_1[ri_53]) then + return(AuthDecap_Some(r_7[u_53])) + else + r_6 <-R eae_output_t; + return(AuthDecap_Some(r_6)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_7: eae_input_t <- cst_eae_input_t; + {343} find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(x_O_5[ri_50, ri_51], r_5[ri_50, ri_51]) && {348}(x1_1 = x_O_5[ri_50, ri_51]) then + return(r_5[u_50, u_51]) + orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(x_O_6[ri_48, ri_49], r_6[ri_48, ri_49]) && {366}(x1_1 = x_O_6[ri_48, ri_49]) then + return(r_6[u_48, u_49]) + orfind u_47 = ri_47 <= Qh suchthat defined(x1_1[ri_47], x_O_7[ri_47], r_7[ri_47]) && {383}(x1_1 = x1_1[ri_47]) then + return(r_7[u_47]) + else + r_7 <-R eae_output_t; + return(r_7) + else + x_O_8: eae_input_t <- cst_eae_input_t; + {403} find [unique] u_40 = ri_40 <= Qh suchthat defined(x1_1[ri_40], x_O_8[ri_40], r_8[ri_40]) && (x1_1 = x1_1[ri_40]) then + return(r_8[u_40]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Applying simplify [probability N^2 * PCollKey] + - Simplification pass + - Replaced defined condition x1_1[ri_40], x_O_8[ri_40], r_8[ri_40] with r_8[ri_40], x1_1[ri_40] in find at 403 + - Replaced (x1_1 = x1_1[ri_47]) with ((pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47])) at 383 + - Replaced defined condition x1_1[ri_47], x_O_7[ri_47], r_7[ri_47] with r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47] in find at 343 + - Replaced (x1_1 = x_O_6[ri_48, ri_49]) with ((pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 366 + - Replaced defined condition x_O_6[ri_48, ri_49], r_6[ri_48, ri_49] with r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49] in find at 343 + - Replaced (x1_1 = x_O_5[ri_50, ri_51]) with ((pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty)) at 348 + - Replaced defined condition x_O_5[ri_50, ri_51], r_5[ri_50, ri_51] with r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51] in find at 343 + - Replaced (x_O_6 = x1_1[ri_53]) with ((pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53])) at 294 + - Replaced defined condition x1_1[ri_53], x_O_7[ri_53], r_7[ri_53] with r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53] in find at 268 + - Replaced (x_O_6 = x_O_6[ri_54, ri_55]) with ((pk_S_1 = pk_S_1[ri_54, ri_55]) && (i_1 = ri_55) && (pkE_9 = pkE_9[ri_54, ri_55])) at 273 + - In branch 1 of find at 268, substituting u_55 with i_1 + - Replaced defined condition x_O_6[ri_54, ri_55], r_6[ri_54, ri_55] with r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54] in find at 268 + - Replaced (x_O_5 = x1_1[ri_59]) with ((pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59])) at 126 + - Replaced defined condition x1_1[ri_59], x_O_7[ri_59], r_7[ri_59] with r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59] in find at 122 +yields + +Game 42 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + find [unique] u_59 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then + return(AuthEncap_tuple(r_7[u_59], enc_6)) + else + r_5 <-R eae_output_t; + return(AuthEncap_tuple(r_5, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_54 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && {362}((pk_S_1 = pk_S_1[ri_54]) && (i_1 = i_1) && (pkE_9 = pkE_9[ri_54])) then + u_55 <= N <- i_1; + return(AuthDecap_Some(r_6[u_54])) + orfind u_53 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then + return(AuthDecap_Some(r_7[u_53])) + else + r_6 <-R eae_output_t; + return(AuthDecap_Some(r_6)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_7: eae_input_t <- cst_eae_input_t; + find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_5[u_50, u_51]) + orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_48, u_49]) + orfind u_47 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then + return(r_7[u_47]) + else + r_7 <-R eae_output_t; + return(r_7) + else + x_O_8: eae_input_t <- cst_eae_input_t; + find [unique] u_40 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then + return(r_8[u_40]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Applying simplify + - Simplification pass + - Replaced ((pk_S_1 = pk_S_1[ri_54]) && (i_1 = i_1) && (pkE_9 = pkE_9[ri_54])) with ((pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54])) at 362 +yields + +Game 43 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + kemContext_7: GGG_t <- concatContext(pkE_7, pk_R_1, pkS_2); + key_2: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_7); + info_2: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_7); + x_O_5: eae_input_t <- eae_input(lbytes_empty, key_2, info_2); + find [unique] u_59 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then + return(AuthEncap_tuple(r_7[u_59], enc_6)) + else + r_5 <-R eae_output_t; + return(AuthEncap_tuple(r_5, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + kemContext_9: GGG_t <- concatContext(pkE_9, pkR_4, pk_S_1); + key_4: extract_key_t <- concatExtract(RFCXXXX, suite_id, label_eae_prk, dh_9); + info_4: expand_info_t <- concatExpand(I2OSP2(Nsecret), RFCXXXX, suite_id, label_shared_secret, kemContext_9); + x_O_6: eae_input_t <- eae_input(lbytes_empty, key_4, info_4); + find [unique] u_54 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then + u_55 <= N <- i_1; + return(AuthDecap_Some(r_6[u_54])) + orfind u_53 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then + return(AuthDecap_Some(r_7[u_53])) + else + r_6 <-R eae_output_t; + return(AuthDecap_Some(r_6)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + x_O_7: eae_input_t <- cst_eae_input_t; + find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_5[u_50, u_51]) + orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_48, u_49]) + orfind u_47 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then + return(r_7[u_47]) + else + r_7 <-R eae_output_t; + return(r_7) + else + x_O_8: eae_input_t <- cst_eae_input_t; + find [unique] u_40 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then + return(r_8[u_40]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Applying move all binders + - Move assignment to x_O_8 + - Move assignment to x_O_7 + - Move assignment to x_O_6 + - Move assignment to info_4 + - Move assignment to key_4 + - Move assignment to kemContext_9 + - Move assignment to x_O_5 + - Move assignment to info_2 + - Move assignment to key_2 + - Move assignment to kemContext_7 +yields + +Game 44 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + dh_7: GG_t <- concatDH(exp(pk_R_1, z_3), exp(pk_R_1, sk_1)); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + find [unique] u_59 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then + return(AuthEncap_tuple(r_7[u_59], enc_6)) + else + r_5 <-R eae_output_t; + return(AuthEncap_tuple(r_5, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + let Serialize(pkE_9: G_t) = cd in + dh_9: GG_t <- concatDH(exp(pkE_9, sk_1), exp(pk_S_1, sk_1)); + pkR_4: G_t <- exp(g, sk_1); + find [unique] u_54 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then + u_55 <= N <- i_1; + return(AuthDecap_Some(r_6[u_54])) + orfind u_53 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then + return(AuthDecap_Some(r_7[u_53])) + else + r_6 <-R eae_output_t; + return(AuthDecap_Some(r_6)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_5[u_50, u_51]) + orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_48, u_49]) + orfind u_47 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then + return(r_7[u_47]) + else + r_7 <-R eae_output_t; + return(r_7) + else + find [unique] u_40 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then + return(r_8[u_40]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Applying remove assignments of findcond + - Remove assignments on dh_9 (definition removed, all usages removed) + - Remove assignments on u_55 (definition removed, all usages removed) + - Remove assignments on dh_7 (definition removed, all usages removed) +yields + +Game 45 is + Ostart() := + return(); + (( + foreach i_1 <= N do + Osetup() := + sk_1 <-R Z_t; + return(); + (( + foreach ie_1 <= Qeperuser do + OAEncap(pk_R_1: G_t) := + find i1_4 = i1 <= N suchthat defined(sk_1[i1]) && (pk_R_1 = exp(g, sk_1[i1])) then + z_4 <-R Z_t; + pkE_8: G_t <- exp(g, z_4); + enc_7: bitstring <- Serialize(pkE_8); + k' <-R eae_output_t; + return(AuthEncap_tuple(k', enc_7)) + else + z_3 <-R Z_t; + pkE_7: G_t <- exp(g, z_3); + enc_6: bitstring <- Serialize(pkE_7); + pkS_2: G_t <- exp(g, sk_1); + find [unique] u_59 = ri_59 <= Qh suchthat defined(r_7[ri_59], salt_1[ri_59], protocol1_1[ri_59], suite1_1[ri_59], label1_1[ri_59], dh1_1[ri_59], dh2_1[ri_59], l_1[ri_59], protocol2_1[ri_59], suite2_1[ri_59], label2_1[ri_59], pkE''[ri_59], pkR''[ri_59], pkS''[ri_59]) && (pkS_2 = pkS''[ri_59]) && (pk_R_1 = pkR''[ri_59]) && (pkE_7 = pkE''[ri_59]) && (label_shared_secret = label2_1[ri_59]) && (suite_id = suite2_1[ri_59]) && (RFCXXXX = protocol2_1[ri_59]) && (I2OSP2(Nsecret) = l_1[ri_59]) && (exp(pk_R_1, sk_1) = dh2_1[ri_59]) && (exp(pk_R_1, z_3) = dh1_1[ri_59]) && (label_eae_prk = label1_1[ri_59]) && (suite_id = suite1_1[ri_59]) && (RFCXXXX = protocol1_1[ri_59]) && (lbytes_empty = salt_1[ri_59]) then + return(AuthEncap_tuple(r_7[u_59], enc_6)) + else + r_5 <-R eae_output_t; + return(AuthEncap_tuple(r_5, enc_6)) + ) | ( + foreach id_1 <= Qdperuser do + OADecap(pk_S_1: G_t, cd: bitstring) := + find ie1_1 = ie1 <= Qeperuser, i1_5 = i1_2 <= N suchthat defined(k'[ie1, i1_2], enc_7[ie1, i1_2], sk_1[i1_2], i1_4[ie1, i1_2]) && (i_1 = i1_4[ie1, i1_2]) && (exp(g, sk_1[i1_2]) = pk_S_1) && (enc_7[ie1, i1_2] = cd) then + return(AuthDecap_Some(k'[ie1_1, i1_5])) + else + let Serialize(pkE_9: G_t) = cd in + pkR_4: G_t <- exp(g, sk_1); + find [unique] u_54 = ri_54 <= Qdperuser suchthat defined(r_6[ri_54], pkE_9[ri_54], pk_S_1[ri_54]) && (pk_S_1 = pk_S_1[ri_54]) && (pkE_9 = pkE_9[ri_54]) then + return(AuthDecap_Some(r_6[u_54])) + orfind u_53 = ri_53 <= Qh suchthat defined(r_7[ri_53], salt_1[ri_53], protocol1_1[ri_53], suite1_1[ri_53], label1_1[ri_53], dh1_1[ri_53], dh2_1[ri_53], l_1[ri_53], protocol2_1[ri_53], suite2_1[ri_53], label2_1[ri_53], pkE''[ri_53], pkR''[ri_53], pkS''[ri_53]) && (pk_S_1 = pkS''[ri_53]) && (pkR_4 = pkR''[ri_53]) && (pkE_9 = pkE''[ri_53]) && (label_shared_secret = label2_1[ri_53]) && (suite_id = suite2_1[ri_53]) && (RFCXXXX = protocol2_1[ri_53]) && (I2OSP2(Nsecret) = l_1[ri_53]) && (exp(pk_S_1, sk_1) = dh2_1[ri_53]) && (exp(pkE_9, sk_1) = dh1_1[ri_53]) && (label_eae_prk = label1_1[ri_53]) && (suite_id = suite1_1[ri_53]) && (RFCXXXX = protocol1_1[ri_53]) && (lbytes_empty = salt_1[ri_53]) then + return(AuthDecap_Some(r_7[u_53])) + else + r_6 <-R eae_output_t; + return(AuthDecap_Some(r_6)) + else + return(AuthDecap_None) + ) | ( + Opk() := + return(exp(g, sk_1)) + )) + ) | ( + foreach iH_1 <= Qh do + OH(x1_1: eae_input_t) := + let eae_input(salt_1: extract_salt_t, concatExtract(protocol1_1: label_protocol_t, suite1_1: suite_id_t, label1_1: label_extract_t, concatDH(dh1_1: G_t, dh2_1: G_t)), concatExpand(l_1: two_byte_t, protocol2_1: label_protocol_t, suite2_1: suite_id_t, label2_1: label_expand_t, concatContext(pkE'': G_t, pkR'': G_t, pkS'': G_t))) = x1_1 in + find [unique] u_50 = ri_50 <= Qeperuser, u_51 = ri_51 <= N suchthat defined(r_5[ri_50, ri_51], z_3[ri_50, ri_51], sk_1[ri_51], pkE_7[ri_50, ri_51], pk_R_1[ri_50, ri_51], pkS_2[ri_50, ri_51]) && (pkS'' = pkS_2[ri_50, ri_51]) && (pkR'' = pk_R_1[ri_50, ri_51]) && (pkE'' = pkE_7[ri_50, ri_51]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_R_1[ri_50, ri_51], sk_1[ri_51])) && (dh1_1 = exp(pk_R_1[ri_50, ri_51], z_3[ri_50, ri_51])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_5[u_50, u_51]) + orfind u_48 = ri_48 <= Qdperuser, u_49 = ri_49 <= N suchthat defined(r_6[ri_48, ri_49], sk_1[ri_49], pkE_9[ri_48, ri_49], pkR_4[ri_48, ri_49], pk_S_1[ri_48, ri_49]) && (pkS'' = pk_S_1[ri_48, ri_49]) && (pkR'' = pkR_4[ri_48, ri_49]) && (pkE'' = pkE_9[ri_48, ri_49]) && (label2_1 = label_shared_secret) && (suite2_1 = suite_id) && (protocol2_1 = RFCXXXX) && (l_1 = I2OSP2(Nsecret)) && (dh2_1 = exp(pk_S_1[ri_48, ri_49], sk_1[ri_49])) && (dh1_1 = exp(pkE_9[ri_48, ri_49], sk_1[ri_49])) && (label1_1 = label_eae_prk) && (suite1_1 = suite_id) && (protocol1_1 = RFCXXXX) && (salt_1 = lbytes_empty) then + return(r_6[u_48, u_49]) + orfind u_47 = ri_47 <= Qh suchthat defined(r_7[ri_47], salt_1[ri_47], protocol1_1[ri_47], suite1_1[ri_47], label1_1[ri_47], dh1_1[ri_47], dh2_1[ri_47], l_1[ri_47], protocol2_1[ri_47], suite2_1[ri_47], label2_1[ri_47], pkE''[ri_47], pkR''[ri_47], pkS''[ri_47]) && (pkS'' = pkS''[ri_47]) && (pkR'' = pkR''[ri_47]) && (pkE'' = pkE''[ri_47]) && (label2_1 = label2_1[ri_47]) && (suite2_1 = suite2_1[ri_47]) && (protocol2_1 = protocol2_1[ri_47]) && (l_1 = l_1[ri_47]) && (dh2_1 = dh2_1[ri_47]) && (dh1_1 = dh1_1[ri_47]) && (label1_1 = label1_1[ri_47]) && (suite1_1 = suite1_1[ri_47]) && (protocol1_1 = protocol1_1[ri_47]) && (salt_1 = salt_1[ri_47]) then + return(r_7[u_47]) + else + r_7 <-R eae_output_t; + return(r_7) + else + find [unique] u_40 = ri_40 <= Qh suchthat defined(r_8[ri_40], x1_1[ri_40]) && (x1_1 = x1_1[ri_40]) then + return(r_8[u_40]) + else + r_8 <-R eae_output_t; + return(r_8) + )) + + +Proved indistinguishability between game 45 and game 1 +Game 45 is the same as game 31. +Adv[Game 1: indistinguishability from game 31] <= Adv_GDH(time_1, 5 * Qh) + (N + #OAEncap) * PDistRerandom + (#OAEncap * #OADecap + #OAEncap * N + 8 * #OAEncap^2 + 6 * N^2) * PCollKey + Adv[Game 31: indistinguishability from game 31] +Adv[Game 31: indistinguishability from game 31] <= 0 +Adv[Game 32: indistinguishability from game 45] <= (#OAEncap * N + 2 * #OAEncap^2 + 5 * N^2) * PCollKey + Adv[Game 45: indistinguishability from game 45] +Adv[Game 45: indistinguishability from game 45] <= 0 +RESULT Proved indistinguishability between game 32 and game 1 up to probability Adv_GDH(time_1, 5 * Qh) + (N + #OAEncap) * PDistRerandom + (#OAEncap * #OADecap + 2 * #OAEncap * N + 10 * #OAEncap^2 + 11 * N^2) * PCollKey +RESULT time_1 = #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_8)) + #OAEncap * time(Serialize) + #OAEncap * time(AuthEncap_tuple, maxlength(game 28: enc_9)) + #OADecap * #OAEncap * time(= bitstring, maxlength(game 28: enc_8), maxlength(game 28: enc_2)) + #OADecap * time(let Serialize) + #OADecap * time(AuthDecap_Some) + Qh * time(let eae_input) + Qh * time(let concatExpand) + Qh * time(let concatContext) + Qh * time(let concatExtract) + Qh * time(let concatDH) + (3 * Qh * #OAEncap + 2 * Qh * #OADecap) * time(I2OSP2) + (2 * Qh * #OAEncap + 1 + 2 * #OAEncap + N) * time(exp) + time +All queries proved. diff --git a/hpke.auth.insider-cca.proof b/hpke.auth.insider-cca.proof index f47c667..627a477 100644 --- a/hpke.auth.insider-cca.proof +++ b/hpke.auth.insider-cca.proof @@ -1,3416 +1,3255 @@ -Initial state -Game 1 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - return((let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in let KeySchedule_Some(ctx_6: context_t) = (let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_8: bitstring) = (let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - get E(=pk_4, =the_pk, =enc_7, =c, =aad_10, =info_7) in - return(OpenAuth_None) - else - return((info_hash: bitstring <- info_7; let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in let KeySchedule_Some(ctx_8: context_t) = (let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); skS_2: skey_t <- skgen(s'); let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, the_pk, skS_2)) in let KeySchedule_Some(ctx_10: context_t) = (let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_10: bitstring) = (let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in - insert E(pkgen(s'), the_pk, enc_star, c_star, aad_11, info_8); - return((enc_star, c_star)) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand get, insert - - Expand get/insert for table E -yields - -Game 2 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - {8}let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - return({29}(let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in {41}let KeySchedule_Some(ctx_6: context_t) = {42}(let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in {79}let Context_Seal_Some(ct_8: bitstring) = {80}(let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_4) && (E_2[u_2, u_3] = the_pk) && (E_3[u_2, u_3] = enc_7) && (E_4[u_2, u_3] = c) && (E_5[u_2, u_3] = aad_10) && (E_6[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - return((info_hash: bitstring <- info_7; {194}let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in {205}let KeySchedule_Some(ctx_8: context_t) = {206}(let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({241}(let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then -{289} let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); skS_2: skey_t <- skgen(s'); {304}let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, the_pk, skS_2)) in {316}let KeySchedule_Some(ctx_10: context_t) = {317}(let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in {354}let Context_Seal_Some(ct_10: bitstring) = {355}(let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in - E_1: pkey_t <- pkgen(s'); - E_2: pkey_t <- the_pk; - E_3: kemciph_t <- enc_star; - E_4: bitstring <- c_star; - E_5: bitstring <- aad_11; - E_6: bitstring <- info_8; - return((enc_star, c_star)) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern (the_sk: skey_t, the_pk: pkey_t) (tuple expanded) at 8 - - Remove let at 289 - - Remove let at 304 - - Remove let at 289 - - Simplify pattern concat(key_10: key_t, nonce_12: nonce_t) (tuple expanded) at 317 - - Remove else branch of let at 317 - - Simplify pattern KeySchedule_Some(ctx_10: context_t) (tuple expanded) at 316 - - Remove else branch of let at 316 - - Simplify pattern SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) (tuple expanded) at 304 - - Remove else branch of let at 304 - - Simplify pattern Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) (tuple expanded) at 355 - - Remove else branch of let at 355 - - Simplify pattern Context_Seal_Some(ct_10: bitstring) (tuple expanded) at 354 - - Remove else branch of let at 354 - - Simplify pattern SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) (tuple expanded) at 289 - - Remove else branch of let at 289 - - Remove let at 194 - - Simplify pattern concat(key_8: key_t, nonce_9: nonce_t) (tuple expanded) at 206 - - Remove else branch of let at 206 - - Simplify pattern KeySchedule_Some(ctx_8: context_t) (tuple expanded) at 205 - - Remove else branch of let at 205 - - Simplify pattern SetupAuthR_Some(ctx_9: context_t) (tuple expanded) at 194 - - Remove else branch of let at 194 - - Simplify pattern Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) (tuple expanded) at 241 - - Remove else branch of let at 241 - - Remove let at 29 - - Simplify pattern concat(key_6: key_t, nonce_6: nonce_t) (tuple expanded) at 42 - - Remove else branch of let at 42 - - Simplify pattern KeySchedule_Some(ctx_6: context_t) (tuple expanded) at 41 - - Remove else branch of let at 41 - - Simplify pattern SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) (tuple expanded) at 29 - - Remove else branch of let at 29 - - Simplify pattern Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) (tuple expanded) at 80 - - Remove else branch of let at 80 - - Simplify pattern Context_Seal_Some(ct_8: bitstring) (tuple expanded) at 79 - - Remove else branch of let at 79 -yields - -Game 3 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ctx_6: context_t <- Context(key_6, nonce_6, nonce_zero); - ctx_7: context_t <- ctx_6; - enc_6: kemciph_t <- enc_5; - seq_3: nonce_t <- nonce_zero; - nonce_7: nonce_t <- nonce_6; - key_7: key_t <- key_6; - nonce_8: nonce_t <- xor(nonce_7, seq_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_7, nonce_8); - ct_8: bitstring <- ct_7; - return(SealAuth_Some(enc_6, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_4) && (E_2[u_2, u_3] = the_pk) && (E_3[u_2, u_3] = enc_7) && (E_4[u_2, u_3] = c) && (E_5[u_2, u_3] = aad_10) && (E_6[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - info_hash: bitstring <- info_7; - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - ctx_8: context_t <- Context(key_8, nonce_9, nonce_zero); - ctx_9: context_t <- ctx_8; - seq_4: nonce_t <- nonce_zero; - nonce_10: nonce_t <- nonce_9; - key_9: key_t <- key_8; - nonce_11: nonce_t <- xor(nonce_10, seq_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_9, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - ctx_10: context_t <- Context(key_10, nonce_12, nonce_zero); - ctx_11: context_t <- ctx_10; - enc_9: kemciph_t <- enc_8; - seq_5: nonce_t <- nonce_zero; - nonce_13: nonce_t <- nonce_12; - key_11: key_t <- key_10; - nonce_14: nonce_t <- xor(nonce_13, seq_5); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_11, nonce_14); - ct_10: bitstring <- ct_9; - c_star: bitstring <- ct_10; - enc_star: kemciph_t <- enc_9; - E_1: pkey_t <- pkgen(s'); - E_2: pkey_t <- the_pk; - E_3: kemciph_t <- enc_star; - E_4: bitstring <- c_star; - E_5: bitstring <- aad_11; - E_6: bitstring <- info_8; - return((enc_star, c_star)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on ctx_11 (definition removed, all usages removed) - - Remove assignments on enc_9 (definition removed, all usages removed) - - Remove assignments on nonce_13 (definition removed, all usages removed) - - Remove assignments on key_11 (definition removed, all usages removed) - - Remove assignments on ct_10 (definition removed, all usages removed) - - Remove assignments on c_star (definition removed, all usages removed) - - Remove assignments on enc_star (definition removed, all usages removed) - - Remove assignments on E_2 (definition removed, all usages removed) - - Remove assignments on E_3 (definition removed, all usages removed) - - Remove assignments on E_4 (definition removed, all usages removed) - - Remove assignments on E_5 (definition removed, all usages removed) - - Remove assignments on E_6 (definition removed, all usages removed) - - Remove assignments on info_hash (definition removed, all usages removed) - - Remove assignments on ctx_9 (definition removed, all usages removed) - - Remove assignments on nonce_10 (definition removed, all usages removed) - - Remove assignments on key_9 (definition removed, all usages removed) - - Remove assignments on ctx_7 (definition removed, all usages removed) - - Remove assignments on enc_6 (definition removed, all usages removed) - - Remove assignments on nonce_7 (definition removed, all usages removed) - - Remove assignments on key_7 (definition removed, all usages removed) - - Remove assignments on ct_8 (definition removed, all usages removed) - - Remove assignments on ctx_10 (definition removed, all usages removed) - - Remove assignments on ctx_8 (definition removed, all usages removed) - - Remove assignments on ctx_6 (definition removed, all usages removed) -yields - -Game 4 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- {59}xor(nonce_6, seq_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := -{104} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(the_pk[u_3], enc_8[u_2, u_3], ct_9[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], E_1[u_2, u_3], E_1[u_2, u_3], E_1[u_2, u_3], E_1[u_2, u_3], E_1[u_2, u_3], E_1[u_2, u_3]) && {126}((E_1[u_2, u_3] = pk_4) && (the_pk[u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- {206}xor(nonce_9, seq_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- {309}xor(nonce_12, seq_5); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N * N * P_pk_coll] - - Simplification pass - - Replaced xor(nonce_12, seq_5) with nonce_12 at 309 - - Replaced xor(nonce_9, seq_4) with nonce_9 at 206 - - Replaced ((E_1[u_2, u_3] = pk_4) && (the_pk[u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) with ((E_1[u_2, u_3] = pk_4) && (u_3 = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) at 126 - - In branch 1 of find at 104, substituting u_1 with i - - Replaced defined condition the_pk[u_3], enc_8[u_2, u_3], ct_9[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], E_1[u_2, u_3], E_1[u_2, u_3], E_1[u_2, u_3], E_1[u_2, u_3], E_1[u_2, u_3], E_1[u_2, u_3] with info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2] in find at 104 - - Replaced xor(nonce_6, seq_3) with nonce_6 at 59 -yields - -Game 5 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && {111}((E_1[u_2] = pk_4) && (i = i) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7)) then - u_1 <= N <- i; - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- nonce_9; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced ((E_1[u_2] = pk_4) && (i = i) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7)) with ((E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7)) at 111 -yields - -Game 6 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - u_1 <= N <- i; - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- nonce_9; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to pt_8 - - Move assignment to seq_4 -yields - -Game 7 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - u_1 <= N <- i; - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - nonce_11: nonce_t <- nonce_9; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on seq_5 (definition removed, all usages removed) - - Remove assignments on nonce_14 (definition removed, all usages removed) - - Remove assignments on nonce_11 (definition removed, all usages removed) - - Remove assignments on u_1 (definition removed, all usages removed) - - Remove assignments on seq_3 (definition removed, all usages removed) - - Remove assignments on nonce_8 (definition removed, all usages removed) -yields - -Game 8 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of binder the_sk - - Remove assignments on the_sk (definition removed, all usages removed) -yields - -Game 9 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of binder the_pk - - Remove assignments on the_pk (definition removed, all usages removed) -yields - -Game 10 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - skS_2: skey_t <- skgen(s'); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pkgen(s), skS_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence insider_cca(AuthEncap) with variables: s -> s_1 [probability Adv_Insider_CCA(time(context for game 10) + time, N, #Oaenc, #Ochall, #Oadec)] - - Equivalence insider_cca(AuthEncap) with variables: k_3 -> ks', k_2 -> ks, s -> s_1 -yields - -Game 11 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (pk_R: pkey_t <- pk_3; AuthEncap_r(k_4, pk_R, skgen(s))) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else -{144} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S: pkey_t <- pk_4; cd: kemciph_t <- enc_7; find u_4 = ri <= Qcperuser, u_5 = ri_1 <= N suchthat defined(k'[ri, ri_1], ce[ri, ri_1], k'_1[ri, ri_1], s[ri_1], s'_1[ri, ri_1]) && (ce[ri, ri_1] = cd) && (pkgen(s'_1[ri, ri_1]) = pk_S) && (pkgen(s[ri_1]) = pkgen(s)) then AuthDecap_Some(k'_1[u_4, u_5]) else AuthDecap(cd, skgen(s), pk_S)) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - skS_2: skey_t <- skgen(s'); - k_6 <-R kemseed_t; - k'_1 <-R kemkey_t; -{278} let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (s'_1: keypairseed_t <- s'; let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s'_1)) in k': kemkey_t <- cst_kemkey_t; AuthEncap_tuple(k'_1, ce) else AuthEncap_None) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand [probability N * N * P_pk_coll] - - Expand if/find/let - - Simplify pattern AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) (tuple expanded) at 278 - - Remove else branch of let at 278 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 144 - - Remove else branch of let at 144 -yields - -Game 12 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - pk_R: pkey_t <- pk_3; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_R, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - pk_S: pkey_t <- pk_4; - cd: kemciph_t <- enc_7; - find u_4 = ri <= Qcperuser, u_5 = ri_1 <= N suchthat defined(k'[ri, ri_1], ce[ri, ri_1], k'_1[ri, ri_1], s[ri_1], s'_1[ri, ri_1]) && (ce[ri, ri_1] = cd) && (pkgen(s'_1[ri, ri_1]) = pk_S) && (pkgen(s[ri_1]) = pkgen(s)) then - shared_secret_4: kemkey_t <- k'_1[u_4, u_5]; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd, skgen(s), pk_S) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - skS_2: skey_t <- skgen(s'); - k_6 <-R kemseed_t; - k'_1 <-R kemkey_t; - s'_1: keypairseed_t <- s'; - let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s'_1)) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - shared_secret_5: kemkey_t <- k'_1; - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on skS_2 (definition removed, all usages removed) - - Remove assignments on s'_1 (definition removed, all usages removed) - - Remove assignments on shared_secret_5 (definition removed, all usages removed) - - Remove assignments on enc_8 (definition kept, array references kept) - - Remove assignments on pk_S (definition removed, all usages removed) - - Remove assignments on cd (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on pk_R (definition removed, all usages removed) -yields - -Game 13 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else -{140} find u_4 = ri <= Qcperuser, u_5 = ri_1 <= N suchthat defined(s'[ri, ri_1], k'_1[ri, ri_1], k'[ri, ri_1], ce[ri, ri_1], k'_1[ri, ri_1], s[ri_1]) && {152}((ce[ri, ri_1] = enc_7) && (pkgen(s'[ri, ri_1]) = pk_4) && (pkgen(s[ri_1]) = pkgen(s))) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_4, u_5], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - k'_1 <-R kemkey_t; - let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N * N * P_pk_coll] - - Simplification pass - - Replaced ((ce[ri, ri_1] = enc_7) && (pkgen(s'[ri, ri_1]) = pk_4) && (pkgen(s[ri_1]) = pkgen(s))) with ((ce[ri, ri_1] = enc_7) && (pkgen(s'[ri, ri_1]) = pk_4) && (ri_1 = i)) at 152 - - In branch 1 of find at 140, substituting u_5 with i - - Replaced defined condition s'[ri, ri_1], k'_1[ri, ri_1], k'[ri, ri_1], ce[ri, ri_1], k'_1[ri, ri_1], s[ri_1] with k'[ri], k'_1[ri], s'[ri], ce[ri] in find at 140 -yields - -Game 14 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && {149}((ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) && (i = i)) then - u_5 <= N <- i; - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - k'_1 <-R kemkey_t; - let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced ((ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) && (i = i)) with ((ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4)) at 149 -yields - -Game 15 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - u_5 <= N <- i; - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - k'_1 <-R kemkey_t; - let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move random number generation k'_1 -yields - -Game 16 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - u_5 <= N <- i; - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - k'_1 <-R kemkey_t; - return((enc_8, ct_9)) - else - k'_1 <-R kemkey_t; - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on u_5 (definition removed, all usages removed) -yields - -Game 17 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - k'_1 <-R kemkey_t; - return((enc_8, ct_9)) - else - k'_1 <-R kemkey_t; - return(bottom) - else - return(bottom) - )) - - -Applying equivalence eliminate_failing(AuthEncap) - - Equivalence eliminate_failing(AuthEncap) -yields - -Game 18 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - {21} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_7: kemseed_t <- k_4; pk_5: pkey_t <- pk_3; sk_2: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key_r(k_7, pk_5, sk_2), AuthEncap_enc_r(k_7, pk_5, sk_2))) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else -{163} find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; -{316} let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = (k_8: kemseed_t <- k_6; pk_6: pkey_t <- pkgen(s); sk_3: skey_t <- skgen(s'); AuthEncap_tuple(AuthEncap_key_r(k_8, pk_6, sk_3), AuthEncap_enc_r(k_8, pk_6, sk_3))) in - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - k'_1 <-R kemkey_t; - return((enc_8, ct_9)) - else - k'_1 <-R kemkey_t; - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) (tuple expanded) at 316 - - Remove else branch of let at 316 - - Replaced defined condition k'[ri], k'_1[ri], s'[ri], ce[ri] with k'_1[ri], s'[ri], ce[ri] in find at 163 - - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) (tuple expanded) at 21 - - Remove else branch of let at 21 -yields - -Game 19 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - k_7: kemseed_t <- k_4; - pk_5: pkey_t <- pk_3; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_7, pk_5, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_7, pk_5, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - k_8: kemseed_t <- k_6; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_8, pk_6, sk_3); - k_5: kemkey_t <- AuthEncap_key_r(k_8, pk_6, sk_3); - k': kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on k_8 (definition removed, all usages removed) - - Remove assignments on k_5 (definition removed, all usages removed) - - Remove assignments on k' (definition removed, all usages removed) - - Remove assignments on enc_8 (definition removed, all usages removed) - - Remove assignments on k_7 (definition removed, all usages removed) - - Remove assignments on pk_5 (definition removed, all usages removed) -yields - -Game 20 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := -{100} find u = u_2 <= Qcperuser suchthat defined(ce[u_2], ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - k'_1 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition ce[u_2], ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2] with info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2] in find at 100 -yields - -Game 21 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - k'_1 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_1, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying equivalence prf(KeySchedule_auth) with k'_1 [probability Adv_PRF_KeySchedule(time(context for game 21) + time, #Ochall, #Ochall + #Oadec)] - - Equivalence prf(KeySchedule_auth) with variables: k'_1 -> k_1 -yields - -Game 22 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(u_4, u_4[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (x = x[ri_8, ri_9]) then r_6[u_8, u_9] orfind suchthat defined(x_1[u_4], r_7[u_4]) && (x = x_1[u_4]) then r_7[u_4] else r_6 <-R keys_t; r_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - k'_1: kemkey_t <- cst_kemkey_t; - r_5: keys_t <- (x_1: bitstring <- info_8; {388}find [unique] u_6 = ri_4 <= Qdperuser, u_7 = ri_5 <= N suchthat defined(u_4[ri_4, ri_5], x[ri_4, ri_5], r_6[ri_4, ri_5]) && {395}((u_4[ri_4, ri_5] = ich) && (ri_5 = i) && (x_1 = x[ri_4, ri_5])) then r_6[u_6, u_7] orfind suchthat defined(x_1, r_7) && {423}(x_1 = x_1) then r_7 else r_7 <-R keys_t; r_7); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying simplify (non-expanded game) - - Simplification pass - - Replaced (x_1 = x_1) with true at 423 - - Replaced ((u_4[ri_4, ri_5] = ich) && (ri_5 = i) && (x_1 = x[ri_4, ri_5])) with false at 395 - - Remove branch 1 in find at 388 -yields - -Game 23 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - r_4: keys_t <- (x: bitstring <- info_7; {182}find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(u_4, u_4[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (x = x[ri_8, ri_9]) then r_6[u_8, u_9] orfind suchthat defined(x_1[u_4], r_7[u_4]) && (x = x_1[u_4]) then r_7[u_4] else r_6 <-R keys_t; r_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - k'_1: kemkey_t <- cst_kemkey_t; - r_5: keys_t <- (x_1: bitstring <- info_8; {388}if defined(x_1, r_7) then r_7 else r_7 <-R keys_t; r_7); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Remove branch 1 in find at 388 - - Find at 388 removed (else branch kept if any) - - Replaced defined condition u_4, u_4[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9] with u_4[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9] in find at 182 -yields - -Game 24 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - x: bitstring <- info_7; - find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(u_4[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (x = x[ri_8, ri_9]) then - r_4: keys_t <- r_6[u_8, u_9]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(x_1[u_4], r_7[u_4]) && (x = x_1[u_4]) then - r_4: keys_t <- r_7[u_4]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - r_4: keys_t <- r_6; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - k'_1: kemkey_t <- cst_kemkey_t; - x_1: bitstring <- info_8; - r_7 <-R keys_t; - r_5: keys_t <- r_7; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on k'_1 (definition removed, all usages removed) - - Remove assignments on x_1 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on x (definition point kept, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) -yields - -Game 25 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else -{154} find u_4 = ri <= Qcperuser suchthat defined(ce[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - x: bitstring <- cst_bitstring; -{179} find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(info_7[ri_8, ri_9], x[ri_8, ri_9], u_4[ri_8, ri_9], r_6[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (info_7 = info_7[ri_8, ri_9]) then - nonce_9: nonce_t <- get2(r_6[u_8, u_9]); - key_8: key_t <- get1(r_6[u_8, u_9]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(info_8[u_4], ce[u_4], r_7[u_4]) && (info_7 = info_8[u_4]) then - nonce_9: nonce_t <- get2(r_7[u_4]); - key_8: key_t <- get1(r_7[u_4]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition info_8[u_4], ce[u_4], r_7[u_4] with an empty condition in find at 179 - - In branch 1 of find at 179, substituting u_9 with i - - Replaced defined condition info_7[ri_8, ri_9], x[ri_8, ri_9], u_4[ri_8, ri_9], r_6[ri_8, ri_9] with r_6[ri_8], info_7[ri_8], u_4[ri_8] in find at 179 - - Replaced defined condition ce[ri], s'[ri], ce[ri] with r_7[ri], info_8[ri], s'[ri], ce[ri] in find at 154 -yields - -Game 26 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - x: bitstring <- cst_bitstring; - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && {188}((u_4[ri_8] = u_4) && (i = i) && (info_7 = info_7[ri_8])) then - u_9 <= N <- i; - nonce_9: nonce_t <- get2(r_6[u_8]); - key_8: key_t <- get1(r_6[u_8]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - nonce_9: nonce_t <- get2(r_7[u_4]); - key_8: key_t <- get1(r_7[u_4]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced ((u_4[ri_8] = u_4) && (i = i) && (info_7 = info_7[ri_8])) with ((u_4[ri_8] = u_4) && (info_7 = info_7[ri_8])) at 188 -yields - -Game 27 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - x: bitstring <- cst_bitstring; - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - u_9 <= N <- i; - nonce_9: nonce_t <- get2(r_6[u_8]); - key_8: key_t <- get1(r_6[u_8]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - nonce_9: nonce_t <- get2(r_7[u_4]); - key_8: key_t <- get1(r_7[u_4]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to x -yields - -Game 28 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - u_9 <= N <- i; - nonce_9: nonce_t <- get2(r_6[u_8]); - key_8: key_t <- get1(r_6[u_8]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - nonce_9: nonce_t <- get2(r_7[u_4]); - key_8: key_t <- get1(r_7[u_4]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on u_9 (definition removed, all usages removed) -yields - -Game 29 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - nonce_9: nonce_t <- get2(r_6[u_8]); - key_8: key_t <- get1(r_6[u_8]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - nonce_9: nonce_t <- get2(r_7[u_4]); - key_8: key_t <- get1(r_7[u_4]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_7 -> r -yields - -Game 30 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - nonce_9: nonce_t <- get2(r_6[u_8]); - key_8: key_t <- get1(r_6[u_8]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - nonce_9: nonce_t <- part2[u_4]; - key_8: key_t <- part1[u_4]; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_6 -> r -yields - -Game 31 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - nonce_9: nonce_t <- part2_1[u_8]; - key_8: key_t <- part1_1[u_8]; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - nonce_9: nonce_t <- part2[u_4]; - key_8: key_t <- part1[u_4]; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_6: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on r_7 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on r_6 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) -yields - -Game 32 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else -{154} find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then -{183} find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1[u_4], part2[u_4]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition part2_1[ri_8], part1_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8] with part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8] in find at 183 - - Replaced defined condition part2[ri], part1[ri], part1[ri], info_8[ri], s'[ri], ce[ri] with part2[ri], part1[ri], info_8[ri], s'[ri], ce[ri] in find at 154 -yields - -Game 33 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1[u_4], part2[u_4]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying equivalence int_ctxt(Seal_inner) with part1 [probability Adv_ctxt(time(context for game 33) + time, #Ochall, #Oadec)] - - Equivalence int_ctxt(Seal_inner) with variables: part2 -> n, part1 -> k_1 -yields - -Game 34 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then -{243} let injbot(pt_7: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_10; if defined(x_2[u_4], d[u_4], r_8[u_4]) && (r_8[u_4] = y) && (d[u_4] = c_d) then injbot(x_2[u_4]) else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- (x_2: bitstring <- pt_8; d: bitstring <- aad_11; r_8: bitstring <- Seal_inner(x_2, d, part1, part2); r_8); - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Remove let at 243 - - Simplify pattern injbot(pt_7: bitstring) (tuple expanded) at 243 - - Remove else branch of let at 243 -yields - -Game 35 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then - y: bitstring <- c; - c_d: bitstring <- aad_10; - if defined(x_2[u_4], d[u_4], r_8[u_4]) && (r_8[u_4] = y) && (d[u_4] = c_d) then - pt_7: bitstring <- x_2[u_4]; - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - x_2: bitstring <- pt_8; - d: bitstring <- aad_11; - r_8: bitstring <- Seal_inner(x_2, d, part1, part2); - ct_9: bitstring <- r_8; - E_1: pkey_t <- pkgen(s'); - return((ce, ct_9)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_2 (definition removed, all usages removed) - - Remove assignments on d (definition removed, all usages removed) - - Remove assignments on ct_9 (definition removed, all usages removed) - - Remove assignments on y (definition removed, all usages removed) - - Remove assignments on c_d (definition removed, all usages removed) - - Remove assignments on pt_7 (definition removed, all usages removed) -yields - -Game 36 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := -{100} find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], r_8[u_2], info_8[u_2], aad_11[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then -{181} find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_4] then -{245} if defined(pt_8[u_4], aad_11[u_4], pt_8[u_4], pt_8[u_4], r_8[u_4]) && (r_8[u_4] = c) && (aad_11[u_4] = aad_10) then - return(OpenAuth_Some(Context_Open_Some(pt_8[u_4]))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - E_1: pkey_t <- pkgen(s'); - return((ce, r_8)) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Simplified find at 245 in branch of find at 181 - - Replaced defined condition r_8[u_2], r_8[u_2], info_8[u_2], aad_11[u_2], ce[u_2], E_1[u_2] with info_8[u_2], aad_11[u_2], r_8[u_2], ce[u_2], E_1[u_2] in find at 100 -yields - -Game 37 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], r_8[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then -{179} find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(pt_8[u_4], aad_11[u_4], pt_8[u_4], pt_8[u_4], r_8[u_4]) && {254}((info_7 = info_8[u_4]) && (r_8[u_4] = c) && (aad_11[u_4] = aad_10)) then - return(OpenAuth_Some(Context_Open_Some(pt_8[u_4]))) - else -{293} if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - E_1: pkey_t <- pkgen(s'); - return((ce, r_8)) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Transformed find at 293 into a test - - Replaced ((info_7 = info_8[u_4]) && (r_8[u_4] = c) && (aad_11[u_4] = aad_10)) with false at 254 - - Remove branch 2 in find at 179 -yields - -Game 38 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], r_8[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - E_1: pkey_t <- pkgen(s'); - return((ce, r_8)) - else - return(bottom) - )) - - -Applying equivalence ind_cpa(Seal_inner) [probability Adv_cpa(time(context for game 38) + time, #Ochall)] - - Equivalence ind_cpa(Seal_inner) with variables: part2 -> n, part1 -> k_1 -yields - -Game 39 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], r_8[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - part1: key_t <- cst_key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- (x_3: bitstring <- pt_8; d_1: bitstring <- aad_11; r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); r_9); - E_1: pkey_t <- pkgen(s'); - return((ce, r_8)) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let -yields - -Game 40 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], r_8[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - part1: key_t <- cst_key_t; - pt_8: bitstring <- test(b, m0, m1); - x_3: bitstring <- pt_8; - d_1: bitstring <- aad_11; - r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); - r_8: bitstring <- r_9; - E_1: pkey_t <- pkgen(s'); - return((ce, r_8)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on part1 (definition removed, all usages removed) - - Remove assignments on x_3 (definition removed, all usages removed) - - Remove assignments on d_1 (definition removed, all usages removed) - - Remove assignments on r_8 (definition removed, all usages removed) -yields - -Game 41 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := -{100} find u = u_2 <= Qcperuser suchthat defined(r_9[u_2], r_9[u_2], info_8[u_2], aad_11[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1_2[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_9: bitstring <- {390}enc'(Length(pt_8), aad_11, part1_2, part2_2); - E_1: pkey_t <- pkgen(s'); - return((ce, r_9)) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced enc'(Length(pt_8), aad_11, part1_2, part2_2) with enc'(Length(m0), aad_11, part1_2, part2_2) at 390 - - Replaced defined condition r_9[u_2], r_9[u_2], info_8[u_2], aad_11[u_2], ce[u_2], E_1[u_2] with info_8[u_2], aad_11[u_2], r_9[u_2], ce[u_2], E_1[u_2] in find at 100 -yields - -Game 42 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], r_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1_2[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); - E_1: pkey_t <- pkgen(s'); - return((ce, r_9)) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on pt_8 (definition removed, all usages removed) -yields - -Game 43 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_4 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], r_9[u_2], ce[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then - return(OpenAuth_None) - else - find u_4 = ri <= Qcperuser suchthat defined(part1_2[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then - find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_4] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ich <= Qcperuser do - Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - if Length(m0) = Length(m1) then - k_6 <-R kemseed_t; - pk_6: pkey_t <- pkgen(s); - sk_3: skey_t <- skgen(s'); - ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); - E_1: pkey_t <- pkgen(s'); - return((ce, r_9)) - else - return(bottom) - )) - - -Proved secrecy of b in game 43 -Adv[Game 1: secrecy of b] <= 2 * Adv_cpa(time_1, #Ochall) + 2 * Adv_ctxt(time_2, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_3, #Ochall, #Ochall + #Oadec) + 2 * Adv_Insider_CCA(time_4, N, #Oaenc, #Ochall, #Oadec) + 6 * N * N * P_pk_coll + Adv[Game 43: secrecy of b] -Adv[Game 43: secrecy of b] <= 0 -RESULT Proved secrecy of b up to probability 2 * Adv_cpa(time_1, #Ochall) + 2 * Adv_ctxt(time_2, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_3, #Ochall, #Ochall + #Oadec) + 2 * Adv_Insider_CCA(time_4, N, #Oaenc, #Ochall, #Oadec) + 6 * N * N * P_pk_coll -RESULT time_1 = time(context for game 38) + time -RESULT time_2 = time(context for game 33) + time -RESULT time_3 = time(context for game 21) + time -RESULT time_4 = time(context for game 10) + time -RESULT time(context for game 10) = (#Oaenc + #Ochall) * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 10: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 10: m), maxlength(game 10: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 10: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 10: ct_9), maxlength(game 10: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 10: aad_11), maxlength(game 10: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 10: info_8), maxlength(game 10: info_7)) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 10: info_7)) + #Oadec * time(Open_inner, maxlength(game 10: c), maxlength(game 10: aad_10)) + #Oadec * time(let injbot, maxlength(game 10: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 10: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 10: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 10: m0)), length(Length, maxlength(game 10: m1))) + #Ochall * time(Length, maxlength(game 10: m1)) + #Ochall * time(Length, maxlength(game 10: m0)) + #Ochall * time(skgen) + #Ochall * time(KeySchedule_auth, maxlength(game 10: info_8)) + #Ochall * time(test, maxlength(game 10: m0), maxlength(game 10: m1)) + #Ochall * time(Seal_inner, maxlength(game 10: pt_8), maxlength(game 10: aad_11)) + #Ochall * time(pkgen) -RESULT time(context for game 21) = (N + #Oadec * Qcperuser + 2 * #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 21: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 21: m), maxlength(game 21: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 21: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 21: ct_9), maxlength(game 21: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 21: aad_11), maxlength(game 21: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 21: info_8), maxlength(game 21: info_7)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 21: info_7)) + #Oadec * time(Open_inner, maxlength(game 21: c), maxlength(game 21: aad_10)) + #Oadec * time(let injbot, maxlength(game 21: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 21: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 21: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 21: m0)), length(Length, maxlength(game 21: m1))) + #Ochall * time(Length, maxlength(game 21: m1)) + #Ochall * time(Length, maxlength(game 21: m0)) + #Ochall * time(test, maxlength(game 21: m0), maxlength(game 21: m1)) + #Ochall * time(Seal_inner, maxlength(game 21: pt_8), maxlength(game 21: aad_11)) -RESULT time(context for game 33) = (N + #Oadec * Qcperuser + 2 * #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 33: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 33: m), maxlength(game 33: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 33: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 33: ct_9), maxlength(game 33: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 33: aad_11), maxlength(game 33: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 33: info_8), maxlength(game 33: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 33: info_7), maxlength(game 33: info_7)) + #Oadec * time(= bitstring, maxlength(game 33: info_7), maxlength(game 33: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 33: info_7)) + #Oadec * time(Open_inner, maxlength(game 33: c), maxlength(game 33: aad_10)) + #Oadec * time(let injbot, maxlength(game 33: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 33: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 33: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 33: m0)), length(Length, maxlength(game 33: m1))) + #Ochall * time(Length, maxlength(game 33: m1)) + #Ochall * time(Length, maxlength(game 33: m0)) + #Ochall * time(test, maxlength(game 33: m0), maxlength(game 33: m1)) -RESULT time(context for game 38) = (N + #Oadec * Qcperuser + 2 * #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 38: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 38: m), maxlength(game 38: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 38: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 38: r_8), maxlength(game 38: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 38: aad_11), maxlength(game 38: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 38: info_8), maxlength(game 38: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 38: info_7), maxlength(game 38: info_7)) + #Oadec * time(= bitstring, maxlength(game 38: info_7), maxlength(game 38: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 38: info_7)) + #Oadec * time(Open_inner, maxlength(game 38: c), maxlength(game 38: aad_10)) + #Oadec * time(let injbot, maxlength(game 38: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 38: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 38: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 38: m0)), length(Length, maxlength(game 38: m1))) + #Ochall * time(Length, maxlength(game 38: m1)) + #Ochall * time(Length, maxlength(game 38: m0)) + #Ochall * time(test, maxlength(game 38: m0), maxlength(game 38: m1)) -All queries proved. +Initial state +Game 1 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + return((let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in let KeySchedule_Some(ctx_6: context_t) = (let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_8: bitstring) = (let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + get E(=pk_4, =the_pk, =enc_7, =c, =aad_10, =info_7) in + return(OpenAuth_None) + else + return((info_hash: bitstring <- info_7; let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in let KeySchedule_Some(ctx_8: context_t) = (let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); skS_2: skey_t <- skgen(s'); let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, the_pk, skS_2)) in let KeySchedule_Some(ctx_10: context_t) = (let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_10: bitstring) = (let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in + insert E(pkgen(s'), the_pk, enc_star, c_star, aad_11, info_8); + return((enc_star, c_star)) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand get, insert and prove unique annotations + - Expand get/insert for table E +yields + +Game 2 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + {8}let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + return({29}(let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in {41}let KeySchedule_Some(ctx_6: context_t) = {42}(let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in {79}let Context_Seal_Some(ct_8: bitstring) = {80}(let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_4) && (E_2[u_2, u_3] = the_pk) && (E_3[u_2, u_3] = enc_7) && (E_4[u_2, u_3] = c) && (E_5[u_2, u_3] = aad_10) && (E_6[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + return((info_hash: bitstring <- info_7; {194}let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in {205}let KeySchedule_Some(ctx_8: context_t) = {206}(let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({241}(let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then +{289} let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); skS_2: skey_t <- skgen(s'); {304}let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, the_pk, skS_2)) in {316}let KeySchedule_Some(ctx_10: context_t) = {317}(let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in {354}let Context_Seal_Some(ct_10: bitstring) = {355}(let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in + E_1: pkey_t <- pkgen(s'); + E_2: pkey_t <- the_pk; + E_3: kemciph_t <- enc_star; + E_4: bitstring <- c_star; + E_5: bitstring <- aad_11; + E_6: bitstring <- info_8; + return((enc_star, c_star)) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern (the_sk: skey_t, the_pk: pkey_t) (tuple expanded) at 8 + - Remove let at 289 + - Remove let at 304 + - Remove let at 289 + - Simplify pattern concat(key_10: key_t, nonce_12: nonce_t) (tuple expanded) at 317 + - Remove else branch of let at 317 + - Simplify pattern KeySchedule_Some(ctx_10: context_t) (tuple expanded) at 316 + - Remove else branch of let at 316 + - Simplify pattern SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) (tuple expanded) at 304 + - Remove else branch of let at 304 + - Simplify pattern Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) (tuple expanded) at 355 + - Remove else branch of let at 355 + - Simplify pattern Context_Seal_Some(ct_10: bitstring) (tuple expanded) at 354 + - Remove else branch of let at 354 + - Simplify pattern SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) (tuple expanded) at 289 + - Remove else branch of let at 289 + - Remove let at 194 + - Simplify pattern concat(key_8: key_t, nonce_9: nonce_t) (tuple expanded) at 206 + - Remove else branch of let at 206 + - Simplify pattern KeySchedule_Some(ctx_8: context_t) (tuple expanded) at 205 + - Remove else branch of let at 205 + - Simplify pattern SetupAuthR_Some(ctx_9: context_t) (tuple expanded) at 194 + - Remove else branch of let at 194 + - Simplify pattern Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) (tuple expanded) at 241 + - Remove else branch of let at 241 + - Remove let at 29 + - Simplify pattern concat(key_6: key_t, nonce_6: nonce_t) (tuple expanded) at 42 + - Remove else branch of let at 42 + - Simplify pattern KeySchedule_Some(ctx_6: context_t) (tuple expanded) at 41 + - Remove else branch of let at 41 + - Simplify pattern SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) (tuple expanded) at 29 + - Remove else branch of let at 29 + - Simplify pattern Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) (tuple expanded) at 80 + - Remove else branch of let at 80 + - Simplify pattern Context_Seal_Some(ct_8: bitstring) (tuple expanded) at 79 + - Remove else branch of let at 79 +yields + +Game 3 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ctx_6: context_t <- Context(key_6, nonce_6, nonce_zero); + ctx_7: context_t <- ctx_6; + enc_6: kemciph_t <- enc_5; + seq_3: nonce_t <- nonce_zero; + nonce_7: nonce_t <- nonce_6; + key_7: key_t <- key_6; + nonce_8: nonce_t <- xor(nonce_7, seq_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_7, nonce_8); + ct_8: bitstring <- ct_7; + return(SealAuth_Some(enc_6, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_4) && (E_2[u_2, u_3] = the_pk) && (E_3[u_2, u_3] = enc_7) && (E_4[u_2, u_3] = c) && (E_5[u_2, u_3] = aad_10) && (E_6[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + info_hash: bitstring <- info_7; + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + ctx_8: context_t <- Context(key_8, nonce_9, nonce_zero); + ctx_9: context_t <- ctx_8; + seq_4: nonce_t <- nonce_zero; + nonce_10: nonce_t <- nonce_9; + key_9: key_t <- key_8; + nonce_11: nonce_t <- xor(nonce_10, seq_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_9, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + ctx_10: context_t <- Context(key_10, nonce_12, nonce_zero); + ctx_11: context_t <- ctx_10; + enc_9: kemciph_t <- enc_8; + seq_5: nonce_t <- nonce_zero; + nonce_13: nonce_t <- nonce_12; + key_11: key_t <- key_10; + nonce_14: nonce_t <- xor(nonce_13, seq_5); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_11, nonce_14); + ct_10: bitstring <- ct_9; + c_star: bitstring <- ct_10; + enc_star: kemciph_t <- enc_9; + E_1: pkey_t <- pkgen(s'); + E_2: pkey_t <- the_pk; + E_3: kemciph_t <- enc_star; + E_4: bitstring <- c_star; + E_5: bitstring <- aad_11; + E_6: bitstring <- info_8; + return((enc_star, c_star)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on ctx_11 (definition removed, all usages removed) + - Remove assignments on enc_9 (definition removed, all usages removed) + - Remove assignments on nonce_13 (definition removed, all usages removed) + - Remove assignments on key_11 (definition removed, all usages removed) + - Remove assignments on ct_10 (definition removed, all usages removed) + - Remove assignments on c_star (definition removed, all usages removed) + - Remove assignments on enc_star (definition removed, all usages removed) + - Remove assignments on E_2 (definition removed, all usages removed) + - Remove assignments on E_3 (definition removed, all usages removed) + - Remove assignments on E_4 (definition removed, all usages removed) + - Remove assignments on E_5 (definition removed, all usages removed) + - Remove assignments on E_6 (definition removed, all usages removed) + - Remove assignments on info_hash (definition removed, all usages removed) + - Remove assignments on ctx_9 (definition removed, all usages removed) + - Remove assignments on nonce_10 (definition removed, all usages removed) + - Remove assignments on key_9 (definition removed, all usages removed) + - Remove assignments on ctx_7 (definition removed, all usages removed) + - Remove assignments on enc_6 (definition removed, all usages removed) + - Remove assignments on nonce_7 (definition removed, all usages removed) + - Remove assignments on key_7 (definition removed, all usages removed) + - Remove assignments on ct_8 (definition removed, all usages removed) + - Remove assignments on ctx_10 (definition removed, all usages removed) + - Remove assignments on ctx_8 (definition removed, all usages removed) + - Remove assignments on ctx_6 (definition removed, all usages removed) +yields + +Game 4 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- {59}xor(nonce_6, seq_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := +{104} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(the_pk[u_3], enc_8[u_2, u_3], ct_9[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], E_1[u_2, u_3]) && {116}((E_1[u_2, u_3] = pk_4) && (the_pk[u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- {196}xor(nonce_9, seq_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- {299}xor(nonce_12, seq_5); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced xor(nonce_12, seq_5) with nonce_12 at 299 + - Replaced xor(nonce_9, seq_4) with nonce_9 at 196 + - Replaced ((E_1[u_2, u_3] = pk_4) && (the_pk[u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) with ((E_1[u_2, u_3] = pk_4) && (u_3 = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) at 116 + - In branch 1 of find at 104, substituting u_1 with i + - Replaced defined condition the_pk[u_3], enc_8[u_2, u_3], ct_9[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], E_1[u_2, u_3] with info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2] in find at 104 + - Replaced xor(nonce_6, seq_3) with nonce_6 at 59 +yields + +Game 5 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && {111}((E_1[u_2] = pk_4) && (i = i) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7)) then + u_1 <= N <- i; + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- nonce_9; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced ((E_1[u_2] = pk_4) && (i = i) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7)) with ((E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7)) at 111 +yields + +Game 6 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + u_1 <= N <- i; + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- nonce_9; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to pt_8 + - Move assignment to seq_4 +yields + +Game 7 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + u_1 <= N <- i; + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + nonce_11: nonce_t <- nonce_9; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on seq_5 (definition removed, all usages removed) + - Remove assignments on nonce_14 (definition removed, all usages removed) + - Remove assignments on nonce_11 (definition removed, all usages removed) + - Remove assignments on u_1 (definition removed, all usages removed) + - Remove assignments on seq_3 (definition removed, all usages removed) + - Remove assignments on nonce_8 (definition removed, all usages removed) +yields + +Game 8 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of binder the_sk + - Remove assignments on the_sk (definition removed, all usages removed) +yields + +Game 9 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, the_pk, skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of binder the_pk + - Remove assignments on the_pk (definition removed, all usages removed) +yields + +Game 10 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + skS_2: skey_t <- skgen(s'); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pkgen(s), skS_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence insider_cca(AuthEncap) with variables: s -> s_1 [probability Adv_Insider_CCA(time_1, N, #Oaenc, #Ochall, #Oadec)] + - Equivalence insider_cca(AuthEncap) with variables: k_3 -> ks', k_2 -> ks, s -> s_1 +yields + +Game 11 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (pk_R: pkey_t <- pk_3; AuthEncap_r(k_4, pk_R, skgen(s))) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else +{144} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S: pkey_t <- pk_4; cd: kemciph_t <- enc_7; find u_4 = ri <= Qcperuser, u_5 = ri_1 <= N suchthat defined(k'[ri, ri_1], ce[ri, ri_1], k'_1[ri, ri_1], s[ri_1], s'_1[ri, ri_1]) && (ce[ri, ri_1] = cd) && (pkgen(s'_1[ri, ri_1]) = pk_S) && (pkgen(s[ri_1]) = pkgen(s)) then AuthDecap_Some(k'_1[u_4, u_5]) else AuthDecap(cd, skgen(s), pk_S)) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + skS_2: skey_t <- skgen(s'); + k_6 <-R kemseed_t; + k'_1 <-R kemkey_t; +{278} let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (s'_1: keypairseed_t <- s'; let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s'_1)) in k': kemkey_t <- cst_kemkey_t; AuthEncap_tuple(k'_1, ce) else AuthEncap_None) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand [probability N^2 * P_pk_coll] + - Expand if/find/let + - Simplify pattern AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) (tuple expanded) at 278 + - Remove else branch of let at 278 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 144 + - Remove else branch of let at 144 +yields + +Game 12 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + pk_R: pkey_t <- pk_3; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_R, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + pk_S: pkey_t <- pk_4; + cd: kemciph_t <- enc_7; + find u_4 = ri <= Qcperuser, u_5 = ri_1 <= N suchthat defined(k'[ri, ri_1], ce[ri, ri_1], k'_1[ri, ri_1], s[ri_1], s'_1[ri, ri_1]) && (ce[ri, ri_1] = cd) && (pkgen(s'_1[ri, ri_1]) = pk_S) && (pkgen(s[ri_1]) = pkgen(s)) then + shared_secret_4: kemkey_t <- k'_1[u_4, u_5]; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd, skgen(s), pk_S) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + skS_2: skey_t <- skgen(s'); + k_6 <-R kemseed_t; + k'_1 <-R kemkey_t; + s'_1: keypairseed_t <- s'; + let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s'_1)) in + k': kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce; + shared_secret_5: kemkey_t <- k'_1; + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on skS_2 (definition removed, all usages removed) + - Remove assignments on s'_1 (definition removed, all usages removed) + - Remove assignments on shared_secret_5 (definition removed, all usages removed) + - Remove assignments on enc_8 (definition kept, array references kept) + - Remove assignments on pk_S (definition removed, all usages removed) + - Remove assignments on cd (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on pk_R (definition removed, all usages removed) +yields + +Game 13 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else +{140} find u_4 = ri <= Qcperuser, u_5 = ri_1 <= N suchthat defined(s'[ri, ri_1], k'[ri, ri_1], ce[ri, ri_1], k'_1[ri, ri_1], s[ri_1]) && {150}((ce[ri, ri_1] = enc_7) && (pkgen(s'[ri, ri_1]) = pk_4) && (pkgen(s[ri_1]) = pkgen(s))) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_4, u_5], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + k'_1 <-R kemkey_t; + let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in + k': kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced ((ce[ri, ri_1] = enc_7) && (pkgen(s'[ri, ri_1]) = pk_4) && (pkgen(s[ri_1]) = pkgen(s))) with ((ce[ri, ri_1] = enc_7) && (pkgen(s'[ri, ri_1]) = pk_4) && (ri_1 = i)) at 150 + - In branch 1 of find at 140, substituting u_5 with i + - Replaced defined condition s'[ri, ri_1], k'[ri, ri_1], ce[ri, ri_1], k'_1[ri, ri_1], s[ri_1] with k'[ri], k'_1[ri], s'[ri], ce[ri] in find at 140 +yields + +Game 14 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && {149}((ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) && (i = i)) then + u_5 <= N <- i; + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + k'_1 <-R kemkey_t; + let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in + k': kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced ((ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) && (i = i)) with ((ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4)) at 149 +yields + +Game 15 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + u_5 <= N <- i; + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + k'_1 <-R kemkey_t; + let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in + k': kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move random number generation k'_1 +yields + +Game 16 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + u_5 <= N <- i; + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in + k': kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + k'_1 <-R kemkey_t; + return((enc_8, ct_9)) + else + k'_1 <-R kemkey_t; + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on u_5 (definition removed, all usages removed) +yields + +Game 17 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_4, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'[ri], k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_6, pkgen(s), skgen(s')) in + k': kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + k'_1 <-R kemkey_t; + return((enc_8, ct_9)) + else + k'_1 <-R kemkey_t; + return(bottom) + else + return(bottom) + )) + + +Applying equivalence eliminate_failing(AuthEncap) + - Equivalence eliminate_failing(AuthEncap) +yields + +Game 18 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + {21} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_7: kemseed_t <- k_4; pk_5: pkey_t <- pk_3; sk_2: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key_r(k_7, pk_5, sk_2), AuthEncap_enc_r(k_7, pk_5, sk_2))) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; +{314} let AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) = (k_8: kemseed_t <- k_6; pk_6: pkey_t <- pkgen(s); sk_3: skey_t <- skgen(s'); AuthEncap_tuple(AuthEncap_key_r(k_8, pk_6, sk_3), AuthEncap_enc_r(k_8, pk_6, sk_3))) in + k': kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + k'_1 <-R kemkey_t; + return((enc_8, ct_9)) + else + k'_1 <-R kemkey_t; + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern AuthEncap_tuple(k_5: kemkey_t, ce: kemciph_t) (tuple expanded) at 314 + - Remove else branch of let at 314 + - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) (tuple expanded) at 21 + - Remove else branch of let at 21 +yields + +Game 19 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + k_7: kemseed_t <- k_4; + pk_5: pkey_t <- pk_3; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_7, pk_5, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_7, pk_5, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(info_8[u_2], aad_11[u_2], ct_9[u_2], enc_8[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (enc_8[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + k_8: kemseed_t <- k_6; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_8, pk_6, sk_3); + k_5: kemkey_t <- AuthEncap_key_r(k_8, pk_6, sk_3); + k': kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on k_8 (definition removed, all usages removed) + - Remove assignments on k_5 (definition removed, all usages removed) + - Remove assignments on k' (definition removed, all usages removed) + - Remove assignments on enc_8 (definition removed, all usages removed) + - Remove assignments on k_7 (definition removed, all usages removed) + - Remove assignments on pk_5 (definition removed, all usages removed) +yields + +Game 20 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_4], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + k'_1 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_1, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying equivalence prf(KeySchedule_auth) with k'_1 [probability Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec)] + - Equivalence prf(KeySchedule_auth) with variables: k'_1 -> k_1 +yields + +Game 21 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(r_6[ri_8, ri_9], x[ri_8, ri_9], u_4[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (x = x[ri_8, ri_9]) then r_6[u_8, u_9] orfind suchthat defined(x_1[u_4], r_7[u_4]) && (x = x_1[u_4]) then r_7[u_4] else r_6 <-R keys_t; r_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + k'_1: kemkey_t <- cst_kemkey_t; + r_5: keys_t <- (x_1: bitstring <- info_8; {386}find [unique] u_6 = ri_4 <= Qdperuser, u_7 = ri_5 <= N suchthat defined(u_4[ri_4, ri_5], x[ri_4, ri_5], r_6[ri_4, ri_5]) && {393}((u_4[ri_4, ri_5] = ich) && (ri_5 = i) && (x_1 = x[ri_4, ri_5])) then r_6[u_6, u_7] else r_7 <-R keys_t; r_7); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying simplify (non-expanded game) + - Simplification pass + - Replaced ((u_4[ri_4, ri_5] = ich) && (ri_5 = i) && (x_1 = x[ri_4, ri_5])) with false at 393 + - Remove branch 1 in find at 386 + - Find at 386 removed (else branch kept if any) +yields + +Game 22 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(r_6[ri_8, ri_9], x[ri_8, ri_9], u_4[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (x = x[ri_8, ri_9]) then r_6[u_8, u_9] orfind suchthat defined(x_1[u_4], r_7[u_4]) && (x = x_1[u_4]) then r_7[u_4] else r_6 <-R keys_t; r_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + k'_1: kemkey_t <- cst_kemkey_t; + r_5: keys_t <- (x_1: bitstring <- info_8; r_7 <-R keys_t; r_7); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 23 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(k'_1[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + x: bitstring <- info_7; + find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(r_6[ri_8, ri_9], x[ri_8, ri_9], u_4[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (x = x[ri_8, ri_9]) then + r_4: keys_t <- r_6[u_8, u_9]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(x_1[u_4], r_7[u_4]) && (x = x_1[u_4]) then + r_4: keys_t <- r_7[u_4]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + r_4: keys_t <- r_6; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + k'_1: kemkey_t <- cst_kemkey_t; + x_1: bitstring <- info_8; + r_7 <-R keys_t; + r_5: keys_t <- r_7; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on k'_1 (definition removed, all usages removed) + - Remove assignments on x_1 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on x (definition point kept, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) +yields + +Game 24 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else +{154} find u_4 = ri <= Qcperuser suchthat defined(s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + x: bitstring <- cst_bitstring; +{177} find [unique] u_8 = ri_8 <= Qdperuser, u_9 = ri_9 <= N suchthat defined(info_7[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9], u_4[ri_8, ri_9]) && (u_4[ri_8, ri_9] = u_4) && (ri_9 = i) && (info_7 = info_7[ri_8, ri_9]) then + nonce_9: nonce_t <- get2(r_6[u_8, u_9]); + key_8: key_t <- get1(r_6[u_8, u_9]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(info_8[u_4], ce[u_4], r_7[u_4]) && (info_7 = info_8[u_4]) then + nonce_9: nonce_t <- get2(r_7[u_4]); + key_8: key_t <- get1(r_7[u_4]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced defined condition info_8[u_4], ce[u_4], r_7[u_4] with an empty condition in find at 177 + - In branch 1 of find at 177, substituting u_9 with i + - Replaced defined condition info_7[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9], u_4[ri_8, ri_9] with r_6[ri_8], info_7[ri_8], u_4[ri_8] in find at 177 + - Replaced defined condition s'[ri], ce[ri] with r_7[ri], info_8[ri], s'[ri], ce[ri] in find at 154 +yields + +Game 25 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + x: bitstring <- cst_bitstring; + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && {188}((u_4[ri_8] = u_4) && (i = i) && (info_7 = info_7[ri_8])) then + u_9 <= N <- i; + nonce_9: nonce_t <- get2(r_6[u_8]); + key_8: key_t <- get1(r_6[u_8]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + nonce_9: nonce_t <- get2(r_7[u_4]); + key_8: key_t <- get1(r_7[u_4]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced ((u_4[ri_8] = u_4) && (i = i) && (info_7 = info_7[ri_8])) with ((u_4[ri_8] = u_4) && (info_7 = info_7[ri_8])) at 188 +yields + +Game 26 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + x: bitstring <- cst_bitstring; + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + u_9 <= N <- i; + nonce_9: nonce_t <- get2(r_6[u_8]); + key_8: key_t <- get1(r_6[u_8]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + nonce_9: nonce_t <- get2(r_7[u_4]); + key_8: key_t <- get1(r_7[u_4]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to x +yields + +Game 27 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + u_9 <= N <- i; + nonce_9: nonce_t <- get2(r_6[u_8]); + key_8: key_t <- get1(r_6[u_8]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + nonce_9: nonce_t <- get2(r_7[u_4]); + key_8: key_t <- get1(r_7[u_4]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on u_9 (definition removed, all usages removed) +yields + +Game 28 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + nonce_9: nonce_t <- get2(r_6[u_8]); + key_8: key_t <- get1(r_6[u_8]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + nonce_9: nonce_t <- get2(r_7[u_4]); + key_8: key_t <- get1(r_7[u_4]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_7 -> r +yields + +Game 29 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + nonce_9: nonce_t <- get2(r_6[u_8]); + key_8: key_t <- get1(r_6[u_8]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + nonce_9: nonce_t <- part2[u_4]; + key_8: key_t <- part1[u_4]; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2 <-R nonce_t; + part1 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_6 -> r +yields + +Game 30 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], r_7[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], r_6[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + nonce_9: nonce_t <- part2_1[u_8]; + key_8: key_t <- part1_1[u_8]; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + nonce_9: nonce_t <- part2[u_4]; + key_8: key_t <- part1[u_4]; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_6: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2 <-R nonce_t; + part1 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on r_7 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on r_6 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) +yields + +Game 31 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part2[ri], part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1[u_4], part2[u_4]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying equivalence int_ctxt(Seal_inner) with part1 [probability Adv_ctxt(time_3, #Ochall, #Oadec)] + - Equivalence int_ctxt(Seal_inner) with variables: part2 -> n, part1 -> k_1 +yields + +Game 32 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then +{243} let injbot(pt_7: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_10; if defined(x_2[u_4], d[u_4], r_8[u_4]) && (r_8[u_4] = y) && (d[u_4] = c_d) then injbot(x_2[u_4]) else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- (x_2: bitstring <- pt_8; d: bitstring <- aad_11; r_8: bitstring <- Seal_inner(x_2, d, part1, part2); r_8); + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Remove let at 243 + - Simplify pattern injbot(pt_7: bitstring) (tuple expanded) at 243 + - Remove else branch of let at 243 +yields + +Game 33 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(ce[u_2], info_8[u_2], aad_11[u_2], ct_9[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (ct_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then + y: bitstring <- c; + c_d: bitstring <- aad_10; + if defined(x_2[u_4], d[u_4], r_8[u_4]) && (r_8[u_4] = y) && (d[u_4] = c_d) then + pt_7: bitstring <- x_2[u_4]; + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + x_2: bitstring <- pt_8; + d: bitstring <- aad_11; + r_8: bitstring <- Seal_inner(x_2, d, part1, part2); + ct_9: bitstring <- r_8; + E_1: pkey_t <- pkgen(s'); + return((ce, ct_9)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_2 (definition removed, all usages removed) + - Remove assignments on d (definition removed, all usages removed) + - Remove assignments on ct_9 (definition removed, all usages removed) + - Remove assignments on y (definition removed, all usages removed) + - Remove assignments on c_d (definition removed, all usages removed) + - Remove assignments on pt_7 (definition removed, all usages removed) +yields + +Game 34 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then +{179} find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_4] then +{243} if defined(aad_11[u_4], pt_8[u_4], r_8[u_4]) && (r_8[u_4] = c) && (aad_11[u_4] = aad_10) then + return(OpenAuth_Some(Context_Open_Some(pt_8[u_4]))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + E_1: pkey_t <- pkgen(s'); + return((ce, r_8)) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Simplified find at 243 in branch of find at 179 +yields + +Game 35 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then +{179} find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(aad_11[u_4], pt_8[u_4], r_8[u_4]) && {246}((info_7 = info_8[u_4]) && (r_8[u_4] = c) && (aad_11[u_4] = aad_10)) then + return(OpenAuth_Some(Context_Open_Some(pt_8[u_4]))) + else +{285} if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + E_1: pkey_t <- pkgen(s'); + return((ce, r_8)) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Transformed find at 285 into a test + - Replaced ((info_7 = info_8[u_4]) && (r_8[u_4] = c) && (aad_11[u_4] = aad_10)) with false at 246 + - Remove branch 2 in find at 179 +yields + +Game 36 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + E_1: pkey_t <- pkgen(s'); + return((ce, r_8)) + else + return(bottom) + )) + + +Applying equivalence ind_cpa(Seal_inner) [probability Adv_cpa(time_4, #Ochall)] + - Equivalence ind_cpa(Seal_inner) with variables: part2 -> n, part1 -> k_1 +yields + +Game 37 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + part1: key_t <- cst_key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- (x_3: bitstring <- pt_8; d_1: bitstring <- aad_11; r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); r_9); + E_1: pkey_t <- pkgen(s'); + return((ce, r_8)) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 38 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_8[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_8[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + part1: key_t <- cst_key_t; + pt_8: bitstring <- test(b, m0, m1); + x_3: bitstring <- pt_8; + d_1: bitstring <- aad_11; + r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); + r_8: bitstring <- r_9; + E_1: pkey_t <- pkgen(s'); + return((ce, r_8)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on part1 (definition removed, all usages removed) + - Remove assignments on x_3 (definition removed, all usages removed) + - Remove assignments on d_1 (definition removed, all usages removed) + - Remove assignments on r_8 (definition removed, all usages removed) +yields + +Game 39 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_9[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1_2[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_9: bitstring <- {388}enc'(Length(pt_8), aad_11, part1_2, part2_2); + E_1: pkey_t <- pkgen(s'); + return((ce, r_9)) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced enc'(Length(pt_8), aad_11, part1_2, part2_2) with enc'(Length(m0), aad_11, part1_2, part2_2) at 388 +yields + +Game 40 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_9[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1_2[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); + E_1: pkey_t <- pkgen(s'); + return((ce, r_9)) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on pt_8 (definition removed, all usages removed) +yields + +Game 41 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_4 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc_r(k_4, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key_r(k_4, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser suchthat defined(r_9[u_2], ce[u_2], info_8[u_2], aad_11[u_2], E_1[u_2]) && (E_1[u_2] = pk_4) && (ce[u_2] = enc_7) && (r_9[u_2] = c) && (aad_11[u_2] = aad_10) && (info_8[u_2] = info_7) then + return(OpenAuth_None) + else + find u_4 = ri <= Qcperuser suchthat defined(part1_2[ri], info_8[ri], s'[ri], ce[ri]) && (ce[ri] = enc_7) && (pkgen(s'[ri]) = pk_4) then + find [unique] u_8 = ri_8 <= Qdperuser suchthat defined(part2_1[ri_8], part1_1[ri_8], info_7[ri_8], u_4[ri_8]) && (u_4[ri_8] = u_4) && (info_7 = info_7[ri_8]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_8], part2_1[u_8]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_4] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ich <= Qcperuser do + Ochall(s': keypairseed_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + if Length(m0) = Length(m1) then + k_6 <-R kemseed_t; + pk_6: pkey_t <- pkgen(s); + sk_3: skey_t <- skgen(s'); + ce: kemciph_t <- AuthEncap_enc_r(k_6, pk_6, sk_3); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); + E_1: pkey_t <- pkgen(s'); + return((ce, r_9)) + else + return(bottom) + )) + + +Proved secrecy of b in game 41 +Adv[Game 1: secrecy of b] <= 2 * Adv_cpa(time_4, #Ochall) + 2 * Adv_ctxt(time_3, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec) + 2 * Adv_Insider_CCA(time_1, N, #Oaenc, #Ochall, #Oadec) + 6 * N^2 * P_pk_coll + Adv[Game 41: secrecy of b] +Adv[Game 41: secrecy of b] <= 0 +RESULT Proved secrecy of b up to probability 2 * Adv_cpa(time_4, #Ochall) + 2 * Adv_ctxt(time_3, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec) + 2 * Adv_Insider_CCA(time_1, N, #Oaenc, #Ochall, #Oadec) + 6 * N^2 * P_pk_coll +RESULT time_1 = time + time(context for game 10) = (#Oaenc + #Ochall) * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 10: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 10: m), maxlength(game 10: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 10: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 10: ct_9), maxlength(game 10: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 10: aad_11), maxlength(game 10: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 10: info_8), maxlength(game 10: info_7)) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 10: info_7)) + #Oadec * time(Open_inner, maxlength(game 10: c), maxlength(game 10: aad_10)) + #Oadec * time(let injbot, maxlength(game 10: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 10: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 10: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 10: m0)), length(Length, maxlength(game 10: m1))) + #Ochall * time(Length, maxlength(game 10: m1)) + #Ochall * time(Length, maxlength(game 10: m0)) + #Ochall * time(skgen) + #Ochall * time(KeySchedule_auth, maxlength(game 10: info_8)) + #Ochall * time(test, maxlength(game 10: m0), maxlength(game 10: m1)) + #Ochall * time(Seal_inner, maxlength(game 10: pt_8), maxlength(game 10: aad_11)) + #Ochall * time(pkgen) + time +RESULT time_2 = time + time(context for game 20) = (N + #Oadec * Qcperuser + 2 * #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 20: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 20: m), maxlength(game 20: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 20: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 20: ct_9), maxlength(game 20: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 20: aad_11), maxlength(game 20: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 20: info_8), maxlength(game 20: info_7)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 20: info_7)) + #Oadec * time(Open_inner, maxlength(game 20: c), maxlength(game 20: aad_10)) + #Oadec * time(let injbot, maxlength(game 20: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 20: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 20: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 20: m0)), length(Length, maxlength(game 20: m1))) + #Ochall * time(Length, maxlength(game 20: m1)) + #Ochall * time(Length, maxlength(game 20: m0)) + #Ochall * time(test, maxlength(game 20: m0), maxlength(game 20: m1)) + #Ochall * time(Seal_inner, maxlength(game 20: pt_8), maxlength(game 20: aad_11)) + time +RESULT time_3 = time + time(context for game 31) = (N + #Oadec * Qcperuser + 2 * #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 31: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 31: m), maxlength(game 31: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 31: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 31: ct_9), maxlength(game 31: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 31: aad_11), maxlength(game 31: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 31: info_8), maxlength(game 31: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 31: info_7), maxlength(game 31: info_7)) + #Oadec * time(= bitstring, maxlength(game 31: info_7), maxlength(game 31: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 31: info_7)) + #Oadec * time(Open_inner, maxlength(game 31: c), maxlength(game 31: aad_10)) + #Oadec * time(let injbot, maxlength(game 31: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 31: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 31: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 31: m0)), length(Length, maxlength(game 31: m1))) + #Ochall * time(Length, maxlength(game 31: m1)) + #Ochall * time(Length, maxlength(game 31: m0)) + #Ochall * time(test, maxlength(game 31: m0), maxlength(game 31: m1)) + time +RESULT time_4 = time + time(context for game 36) = (N + #Oadec * Qcperuser + 2 * #Ochall) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 36: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 36: m), maxlength(game 36: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 36: ct_7)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 36: r_8), maxlength(game 36: c)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 36: aad_11), maxlength(game 36: aad_10)) + #Oadec * Qcperuser * time(= bitstring, maxlength(game 36: info_8), maxlength(game 36: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 36: info_7), maxlength(game 36: info_7)) + #Oadec * time(= bitstring, maxlength(game 36: info_7), maxlength(game 36: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 36: info_7)) + #Oadec * time(Open_inner, maxlength(game 36: c), maxlength(game 36: aad_10)) + #Oadec * time(let injbot, maxlength(game 36: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 36: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 36: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 36: m0)), length(Length, maxlength(game 36: m1))) + #Ochall * time(Length, maxlength(game 36: m1)) + #Ochall * time(Length, maxlength(game 36: m0)) + #Ochall * time(test, maxlength(game 36: m0), maxlength(game 36: m1)) + time +All queries proved. diff --git a/hpke.auth.outsider-auth.proof b/hpke.auth.outsider-auth.proof index 5515aed..2357d78 100644 --- a/hpke.auth.outsider-auth.proof +++ b/hpke.auth.outsider-auth.proof @@ -1,8141 +1,7690 @@ -Initial state -Game 1 is - (( - foreach i <= N do - Osetup() := - let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - let SealAuth_Some(enc_6: kemciph_t, ct_10: bitstring) = (let SetupAuthS_Some(enc_5: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_1: pkey_t <- pk_2; sk: skey_t <- the_sk; k <-R kemseed_t; AuthEncap_r(k, pk_1, sk)) in let KeySchedule_Some(ctx_6: context_t) = (let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_4, ctx_6) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_9: bitstring) = (let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_8: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_8, key_7, nonce_8)); Context_Seal_Some(ct_8) else Context_Seal_None) in SealAuth_Some(enc_5, ct_9) else SealAuth_None else SealAuth_None) in - insert E(the_pk, pk_2, enc_6, ct_10, aad_8, info_5); - return(SealAuth_Some(enc_6, ct_10)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - return((let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in let KeySchedule_Some(ctx_8: context_t) = (let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_6: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_9, key_9, nonce_11)) in Context_Open_Some(pt_6) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_pk[i'], the_pk[i''], the_sk[i'], the_sk[i'']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - get E(=pk_S, =pk_R, =enc_star, =ciph_star, =aad_star, =info_star) in - return(bottom) - else - let OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) = (skR_2: skey_t <- the_sk[i''_1]; let SetupAuthR_Some(ctx_11: context_t) = (let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skR_2, pk_S) in let KeySchedule_Some(ctx_10: context_t) = (let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_10) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in let injbot(pt_7: bitstring) = (nonce_14: nonce_t <- xor(nonce_13, seq_5); Open_inner(ciph_star, aad_star, key_11, nonce_14)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - )) - - -Applying expand get, insert - - Expand get/insert for table E -yields - -Game 2 is - (( - foreach i <= N do - Osetup() := - {5} let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - {23} let SealAuth_Some(enc_6: kemciph_t, ct_10: bitstring) = {24}(let SetupAuthS_Some(enc_5: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_1: pkey_t <- pk_2; sk: skey_t <- the_sk; k <-R kemseed_t; AuthEncap_r(k, pk_1, sk)) in {44}let KeySchedule_Some(ctx_6: context_t) = {45}(let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_4, ctx_6) else SetupAuthS_None else SetupAuthS_None) in {82}let Context_Seal_Some(ct_9: bitstring) = {83}(let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_8: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_8, key_7, nonce_8)); Context_Seal_Some(ct_8) else Context_Seal_None) in SealAuth_Some(enc_5, ct_9) else SealAuth_None else SealAuth_None) in - E_1: pkey_t <- the_pk; - E_2: pkey_t <- pk_2; - E_3: kemciph_t <- enc_6; - E_4: bitstring <- ct_10; - E_5: bitstring <- aad_8; - E_6: bitstring <- info_5; - return(SealAuth_Some(enc_6, ct_10)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - return({172}(let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in {183}let KeySchedule_Some(ctx_8: context_t) = {184}(let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({219}(let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_6: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_9, key_9, nonce_11)) in Context_Open_Some(pt_6) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - {255} find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_pk[i'], the_pk[i''], the_sk[i'], the_sk[i'']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_S) && (E_2[u_2, u_3] = pk_R) && (E_3[u_2, u_3] = enc_star) && (E_4[u_2, u_3] = ciph_star) && (E_5[u_2, u_3] = aad_star) && (E_6[u_2, u_3] = info_star) then - return(bottom) - else - {321} let OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) = (skR_2: skey_t <- the_sk[i''_1]; {325}let SetupAuthR_Some(ctx_11: context_t) = (let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skR_2, pk_S) in {331}let KeySchedule_Some(ctx_10: context_t) = {332}(let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_10) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({353}(let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in let injbot(pt_7: bitstring) = (nonce_14: nonce_t <- xor(nonce_13, seq_5); Open_inner(ciph_star, aad_star, key_11, nonce_14)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Remove let at 321 - - Remove let at 325 - - Remove let at 321 - - Simplify pattern concat(key_10: key_t, nonce_12: nonce_t) (tuple expanded) at 332 - - Remove else branch of let at 332 - - Simplify pattern KeySchedule_Some(ctx_10: context_t) (tuple expanded) at 331 - - Remove else branch of let at 331 - - Simplify pattern SetupAuthR_Some(ctx_11: context_t) (tuple expanded) at 325 - - Remove else branch of let at 325 - - Simplify pattern Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) (tuple expanded) at 353 - - Remove else branch of let at 353 - - Simplify pattern OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) (tuple expanded) at 321 - - Remove let at 321 - - Simplify pattern Context_Open_Some(pt_8: bitstring) (tuple expanded), pattern OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) (tuple expanded) at 321 - - Remove else branch of let at 321 - - Replaced defined condition the_pk[i'], the_pk[i''], the_sk[i'], the_sk[i''] with the_sk[i''], the_pk[i''], the_pk[i'] in find at 255 - - Simplify pattern (the_sk: skey_t, the_pk: pkey_t) (tuple expanded) at 5 - - Remove let at 172 - - Simplify pattern concat(key_8: key_t, nonce_9: nonce_t) (tuple expanded) at 184 - - Remove else branch of let at 184 - - Simplify pattern KeySchedule_Some(ctx_8: context_t) (tuple expanded) at 183 - - Remove else branch of let at 183 - - Simplify pattern SetupAuthR_Some(ctx_9: context_t) (tuple expanded) at 172 - - Remove else branch of let at 172 - - Simplify pattern Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) (tuple expanded) at 219 - - Remove else branch of let at 219 - - Remove let at 23 - - Remove let at 24 - - Remove let at 23 - - Simplify pattern concat(key_6: key_t, nonce_6: nonce_t) (tuple expanded) at 45 - - Remove else branch of let at 45 - - Simplify pattern KeySchedule_Some(ctx_6: context_t) (tuple expanded) at 44 - - Remove else branch of let at 44 - - Simplify pattern SetupAuthS_Some(enc_5: kemciph_t, ctx_7: context_t) (tuple expanded) at 24 - - Remove else branch of let at 24 - - Simplify pattern Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) (tuple expanded) at 83 - - Remove else branch of let at 83 - - Simplify pattern Context_Seal_Some(ct_9: bitstring) (tuple expanded) at 82 - - Remove else branch of let at 82 - - Simplify pattern SealAuth_Some(enc_6: kemciph_t, ct_10: bitstring) (tuple expanded) at 23 - - Remove else branch of let at 23 -yields - -Game 3 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - pk_1: pkey_t <- pk_2; - sk: skey_t <- the_sk; - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_1, sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ctx_6: context_t <- Context(key_6, nonce_6, nonce_zero); - ctx_7: context_t <- ctx_6; - enc_5: kemciph_t <- enc_4; - seq_3: nonce_t <- nonce_zero; - nonce_7: nonce_t <- nonce_6; - key_7: key_t <- key_6; - nonce_8: nonce_t <- xor(nonce_7, seq_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_7, nonce_8); - ct_9: bitstring <- ct_8; - ct_10: bitstring <- ct_9; - enc_6: kemciph_t <- enc_5; - E_1: pkey_t <- the_pk; - E_2: pkey_t <- pk_2; - E_3: kemciph_t <- enc_6; - E_4: bitstring <- ct_10; - E_5: bitstring <- aad_8; - E_6: bitstring <- info_5; - return(SealAuth_Some(enc_6, ct_10)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - ctx_8: context_t <- Context(key_8, nonce_9, nonce_zero); - ctx_9: context_t <- ctx_8; - seq_4: nonce_t <- nonce_zero; - nonce_10: nonce_t <- nonce_9; - key_9: key_t <- key_8; - nonce_11: nonce_t <- xor(nonce_10, seq_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_9, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_S) && (E_2[u_2, u_3] = pk_R) && (E_3[u_2, u_3] = enc_star) && (E_4[u_2, u_3] = ciph_star) && (E_5[u_2, u_3] = aad_star) && (E_6[u_2, u_3] = info_star) then - return(bottom) - else - skR_2: skey_t <- the_sk[i''_1]; - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skR_2, pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - ctx_10: context_t <- Context(key_10, nonce_12, nonce_zero); - ctx_11: context_t <- ctx_10; - seq_5: nonce_t <- nonce_zero; - nonce_13: nonce_t <- nonce_12; - key_11: key_t <- key_10; - nonce_14: nonce_t <- xor(nonce_13, seq_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_11, nonce_14) in - pt_8: bitstring <- pt_7; - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on skR_2 (definition removed, all usages removed) - - Remove assignments on ctx_11 (definition removed, all usages removed) - - Remove assignments on nonce_13 (definition removed, all usages removed) - - Remove assignments on key_11 (definition removed, all usages removed) - - Remove assignments on pt_8 (definition removed, all usages removed) - - Remove assignments on ctx_9 (definition removed, all usages removed) - - Remove assignments on nonce_10 (definition removed, all usages removed) - - Remove assignments on key_9 (definition removed, all usages removed) - - Remove assignments on pk_1 (definition removed, all usages removed) - - Remove assignments on sk (definition removed, all usages removed) - - Remove assignments on ctx_7 (definition removed, all usages removed) - - Remove assignments on enc_5 (definition removed, all usages removed) - - Remove assignments on nonce_7 (definition removed, all usages removed) - - Remove assignments on key_7 (definition removed, all usages removed) - - Remove assignments on ct_9 (definition removed, all usages removed) - - Remove assignments on ct_10 (definition removed, all usages removed) - - Remove assignments on enc_6 (definition removed, all usages removed) - - Remove assignments on E_1 (definition removed, all usages removed) - - Remove assignments on E_2 (definition removed, all usages removed) - - Remove assignments on E_3 (definition removed, all usages removed) - - Remove assignments on E_4 (definition removed, all usages removed) - - Remove assignments on E_5 (definition removed, all usages removed) - - Remove assignments on E_6 (definition removed, all usages removed) - - Remove assignments on ctx_10 (definition removed, all usages removed) - - Remove assignments on ctx_8 (definition removed, all usages removed) - - Remove assignments on ctx_6 (definition removed, all usages removed) -yields - -Game 4 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- {55}xor(nonce_6, seq_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- {131}xor(nonce_9, seq_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - {190} find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(the_pk[u_3], pk_2[u_2, u_3], enc_4[u_2, u_3], ct_8[u_2, u_3], aad_8[u_2, u_3], info_5[u_2, u_3], ct_8[u_2, u_3], ct_8[u_2, u_3], ct_8[u_2, u_3], ct_8[u_2, u_3], ct_8[u_2, u_3], ct_8[u_2, u_3]) && {214}((the_pk[u_3] = pk_S) && (pk_2[u_2, u_3] = pk_R) && (enc_4[u_2, u_3] = enc_star) && (ct_8[u_2, u_3] = ciph_star) && (aad_8[u_2, u_3] = aad_star) && (info_5[u_2, u_3] = info_star)) then - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- {271}xor(nonce_12, seq_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N * N * P_pk_coll] - - Simplification pass - - Replaced xor(nonce_12, seq_5) with nonce_12 at 271 - - Replaced ((the_pk[u_3] = pk_S) && (pk_2[u_2, u_3] = pk_R) && (enc_4[u_2, u_3] = enc_star) && (ct_8[u_2, u_3] = ciph_star) && (aad_8[u_2, u_3] = aad_star) && (info_5[u_2, u_3] = info_star)) with ((u_3 = i'_1) && (pk_2[u_2, u_3] = pk_R) && (enc_4[u_2, u_3] = enc_star) && (ct_8[u_2, u_3] = ciph_star) && (aad_8[u_2, u_3] = aad_star) && (info_5[u_2, u_3] = info_star)) at 214 - - In branch 1 of find at 190, substituting u_1 with i'_1 - - Replaced defined condition the_pk[u_3], pk_2[u_2, u_3], enc_4[u_2, u_3], ct_8[u_2, u_3], aad_8[u_2, u_3], info_5[u_2, u_3], ct_8[u_2, u_3], ct_8[u_2, u_3], ct_8[u_2, u_3], ct_8[u_2, u_3], ct_8[u_2, u_3], ct_8[u_2, u_3] with info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1] in find at 190 - - Replaced xor(nonce_9, seq_4) with nonce_9 at 131 - - Replaced xor(nonce_6, seq_3) with nonce_6 at 55 -yields - -Game 5 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- nonce_9; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && {193}((i'_1 = i'_1) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star)) then - u_1 <= N <- i'_1; - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced ((i'_1 = i'_1) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star)) with ((pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star)) at 193 -yields - -Game 6 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- nonce_9; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - u_1 <= N <- i'_1; - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to seq_5 - - Move assignment to seq_4 -yields - -Game 7 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - nonce_11: nonce_t <- nonce_9; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - u_1 <= N <- i'_1; - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - nonce_14: nonce_t <- nonce_12; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on nonce_14 (definition removed, all usages removed) - - Remove assignments on u_1 (definition removed, all usages removed) - - Remove assignments on nonce_11 (definition removed, all usages removed) - - Remove assignments on seq_3 (definition removed, all usages removed) - - Remove assignments on nonce_8 (definition removed, all usages removed) -yields - -Game 8 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of binder the_sk - - Remove assignments on the_sk (definition removed, all usages removed) -yields - -Game 9 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], the_pk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of binder the_pk - - Remove assignments on the_pk (definition removed, all usages removed) -yields - -Game 10 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'], s[i''], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence outsider_cca(AuthEncap) with variables: s -> s_1 [probability Adv_Outsider_CCA(time(context for game 10) + time, N, #Oaenc, 1 + #Oadec)] - - Equivalence outsider_cca(AuthEncap) with variables: k -> ks, s -> s_1 -yields - -Game 11 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - k'_1 <-R kemkey_t; - {18} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_R_1: pkey_t <- pk_2; find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_R_1 = pkgen(s[ri_4])) then let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_R_1, skgen(s)) in k': kemkey_t <- cst_kemkey_t; AuthEncap_tuple(k'_1, ce) else AuthEncap_None else AuthEncap_r(k, pk_R_1, skgen(s))) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - {117} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S_1: pkey_t <- pk_3; cd: kemciph_t <- enc_7; find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], s[ri_3], pk_R_1[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3]) && (pkgen(s) = pk_R_1[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_S_1) && (ce[ri_2, ri_3] = cd) then AuthDecap_Some(k'_1[u_6, u_7]) else AuthDecap(cd, skgen(s), pk_S_1)) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - {288} let AuthDecap_Some(shared_secret_5: kemkey_t) = (pk_S_2: pkey_t <- pk_S; cd_1: kemciph_t <- enc_star; find u_4 = ri <= Qeperuser, u_5 = ri_1 <= N suchthat defined(k'[ri, ri_1], s[ri_1], pk_R_1[ri, ri_1], k'_1[ri, ri_1], ce[ri, ri_1]) && (pkgen(s[i''_1]) = pk_R_1[ri, ri_1]) && (pkgen(s[ri_1]) = pk_S_2) && (ce[ri, ri_1] = cd_1) then AuthDecap_Some(k'_1[u_4, u_5]) else AuthDecap(cd_1, skgen(s[i''_1]), pk_S_2)) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand [probability N * N * P_pk_coll] - - Expand if/find/let - - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 288 - - Remove else branch of let at 288 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 117 - - Remove else branch of let at 117 - - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) (tuple expanded) at 18 - - Remove else branch of let at 18 -yields - -Game 12 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - k'_1 <-R kemkey_t; - pk_R_1: pkey_t <- pk_2; - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_R_1 = pkgen(s[ri_4])) then - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_R_1, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - shared_secret_3: kemkey_t <- k'_1; - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_R_1, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - pk_S_1: pkey_t <- pk_3; - cd: kemciph_t <- enc_7; - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], s[ri_3], pk_R_1[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3]) && (pkgen(s) = pk_R_1[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_S_1) && (ce[ri_2, ri_3] = cd) then - shared_secret_4: kemkey_t <- k'_1[u_6, u_7]; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd, skgen(s), pk_S_1) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - pk_S_2: pkey_t <- pk_S; - cd_1: kemciph_t <- enc_star; - find u_4 = ri <= Qeperuser, u_5 = ri_1 <= N suchthat defined(k'[ri, ri_1], s[ri_1], pk_R_1[ri, ri_1], k'_1[ri, ri_1], ce[ri, ri_1]) && (pkgen(s[i''_1]) = pk_R_1[ri, ri_1]) && (pkgen(s[ri_1]) = pk_S_2) && (ce[ri, ri_1] = cd_1) then - shared_secret_5: kemkey_t <- k'_1[u_4, u_5]; - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(cd_1, skgen(s[i''_1]), pk_S_2) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on pk_S_2 (definition removed, all usages removed) - - Remove assignments on cd_1 (definition removed, all usages removed) - - Remove assignments on shared_secret_5 (definition removed, all usages removed) - - Remove assignments on pk_S_1 (definition removed, all usages removed) - - Remove assignments on cd (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on pk_R_1 (definition removed, all usages removed) - - Remove assignments on shared_secret_3 (definition removed, all usages removed) - - Remove assignments on enc_4 (definition kept, array references kept) -yields - -Game 13 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - k'_1 <-R kemkey_t; - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - {209} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(pk_2[ri_2, ri_3], k'_1[ri_2, ri_3], k'[ri_2, ri_3], s[ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3]) && {221}((pkgen(s) = pk_2[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7)) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - {418} find u_4 = ri <= Qeperuser, u_5 = ri_1 <= N suchthat defined(pk_2[ri, ri_1], k'_1[ri, ri_1], k'[ri, ri_1], s[ri_1], k'_1[ri, ri_1], ce[ri, ri_1]) && {430}((pkgen(s[i''_1]) = pk_2[ri, ri_1]) && (pkgen(s[ri_1]) = pk_S) && (ce[ri, ri_1] = enc_star)) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, u_5], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N * N * P_pk_coll] - - Simplification pass - - Replaced ((pkgen(s[i''_1]) = pk_2[ri, ri_1]) && (pkgen(s[ri_1]) = pk_S) && (ce[ri, ri_1] = enc_star)) with ((i''_1 = u_8[ri, ri_1]) && (ri_1 = i'_1) && (ce[ri, ri_1] = enc_star)) at 430 - - In branch 1 of find at 418, substituting u_5 with i'_1 - - Replaced defined condition pk_2[ri, ri_1], k'_1[ri, ri_1], k'[ri, ri_1], s[ri_1], k'_1[ri, ri_1], ce[ri, ri_1] with k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1] in find at 418 - - Replaced ((pkgen(s) = pk_2[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7)) with ((i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7)) at 221 - - Replaced defined condition pk_2[ri_2, ri_3], k'_1[ri_2, ri_3], k'[ri_2, ri_3], s[ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3] with k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] in find at 209 -yields - -Game 14 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - k'_1 <-R kemkey_t; - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && {423}((i''_1 = u_8[ri, i'_1]) && (i'_1 = i'_1) && (ce[ri, i'_1] = enc_star)) then - u_5 <= N <- i'_1; - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced ((i''_1 = u_8[ri, i'_1]) && (i'_1 = i'_1) && (ce[ri, i'_1] = enc_star)) with ((i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star)) at 423 -yields - -Game 15 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - k <-R kemseed_t; - k'_1 <-R kemkey_t; - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(enc_4, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - u_5 <= N <- i'_1; - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move random number generation k'_1 - - Move random number generation k -yields - -Game 16 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k <-R kemseed_t; - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - u_5 <= N <- i'_1; - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on u_5 (definition removed, all usages removed) - - Rename variable k into k_3, k_2 -yields - -Game 17 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence outsider_auth(AuthEncap) with variables: s -> s_1 [probability Adv_Outsider_Auth(time(context for game 17) + time, N, #Oaenc, 1 + #Oadec)] - - Equivalence outsider_auth(AuthEncap) with variables: k_3 -> ks, k_2 -> ks, s -> s_1 -yields - -Game 18 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = (pk_R_3: pkey_t <- pk_2; let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_R_3, skgen(s)) in AuthEncap_tuple(k_6, ce_2) else AuthEncap_None) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_R_2: pkey_t <- pk_2; let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_R_2, skgen(s)) in AuthEncap_tuple(k_5, ce_1) else AuthEncap_None) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S_3: pkey_t <- pk_3; cd_2: kemciph_t <- enc_7; find u_20 = ri_16 <= Qdperuser, u_21 = ri_17 <= N suchthat defined(s[ri_17], pk_S_3[ri_16, ri_17], k'_2[ri_16, ri_17], cd_2[ri_16, ri_17]) && (pkgen(s) = pkgen(s[ri_17])) && (pk_S_3[ri_16, ri_17] = pk_S_3) && (cd_2[ri_16, ri_17] = cd_2) then AuthDecap_Some(k'_2[u_20, u_21]) orfind suchthat defined(s[i''_1], pk_S_4, k'_3, cd_3) && (pkgen(s) = pkgen(s[i''_1])) && (pk_S_4 = pk_S_3) && (cd_3 = cd_2) then AuthDecap_Some(k'_3) orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(s[ri_15], pk_R_2[ri_14, ri_15], k_5[ri_14, ri_15], ce_1[ri_14, ri_15]) && (pkgen(s) = pk_R_2[ri_14, ri_15]) && (pkgen(s[ri_15]) = pk_S_3) && (ce_1[ri_14, ri_15] = cd_2) then AuthDecap_Some(k_5[u_18, u_19]) orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(s[ri_13], pk_R_3[ri_12, ri_13], k_6[ri_12, ri_13], ce_2[ri_12, ri_13]) && (pkgen(s) = pk_R_3[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_S_3) && (ce_2[ri_12, ri_13] = cd_2) then AuthDecap_Some(k_6[u_16, u_17]) else find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_S_3 = pkgen(s[ri_18])) then let AuthDecap_Some(k0: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in k'_2 <-R kemkey_t; AuthDecap_Some(k'_2) else AuthDecap_None else AuthDecap(cd_2, skgen(s), pk_S_3)) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(shared_secret_5: kemkey_t) = (pk_S_4: pkey_t <- pk_S; cd_3: kemciph_t <- enc_star; find u_13 = ri_9 <= Qdperuser, u_14 = ri_10 <= N suchthat defined(s[ri_10], pk_S_3[ri_9, ri_10], k'_2[ri_9, ri_10], cd_2[ri_9, ri_10]) && (pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_S_3[ri_9, ri_10] = pk_S_4) && (cd_2[ri_9, ri_10] = cd_3) then AuthDecap_Some(k'_2[u_13, u_14]) orfind suchthat defined(s[i''_1], pk_S_4, k'_3, cd_3) && {699}((pkgen(s[i''_1]) = pkgen(s[i''_1])) && (pk_S_4 = pk_S_4) && (cd_3 = cd_3)) then AuthDecap_Some(k'_3) orfind u_11 = ri_7 <= Qeperuser, u_12 = ri_8 <= N suchthat defined(s[ri_8], pk_R_2[ri_7, ri_8], k_5[ri_7, ri_8], ce_1[ri_7, ri_8]) && (pkgen(s[i''_1]) = pk_R_2[ri_7, ri_8]) && (pkgen(s[ri_8]) = pk_S_4) && (ce_1[ri_7, ri_8] = cd_3) then AuthDecap_Some(k_5[u_11, u_12]) orfind u_9 = ri_5 <= Qeperuser, u_10 = ri_6 <= N suchthat defined(s[ri_6], pk_R_3[ri_5, ri_6], k_6[ri_5, ri_6], ce_2[ri_5, ri_6]) && (pkgen(s[i''_1]) = pk_R_3[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S_4) && (ce_2[ri_5, ri_6] = cd_3) then AuthDecap_Some(k_6[u_9, u_10]) else find u_15 = ri_11 <= N suchthat defined(s[ri_11]) && (pk_S_4 = pkgen(s[ri_11])) then let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4) in k'_3 <-R kemkey_t; AuthDecap_Some(k'_3) else AuthDecap_None else AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4)) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify (non-expanded game) [probability N * N * P_pk_coll] - - Simplification pass - - Replaced ((pkgen(s[i''_1]) = pkgen(s[i''_1])) && (pk_S_4 = pk_S_4) && (cd_3 = cd_3)) with true at 699 -yields - -Game 19 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - {26} let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = (pk_R_3: pkey_t <- pk_2; let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_R_3, skgen(s)) in AuthEncap_tuple(k_6, ce_2) else AuthEncap_None) in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - {160} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_R_2: pkey_t <- pk_2; let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_R_2, skgen(s)) in AuthEncap_tuple(k_5, ce_1) else AuthEncap_None) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - {240} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - {323} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S_3: pkey_t <- pk_3; cd_2: kemciph_t <- enc_7; {332}find u_20 = ri_16 <= Qdperuser, u_21 = ri_17 <= N suchthat defined(s[ri_17], pk_S_3[ri_16, ri_17], k'_2[ri_16, ri_17], cd_2[ri_16, ri_17]) && (pkgen(s) = pkgen(s[ri_17])) && (pk_S_3[ri_16, ri_17] = pk_S_3) && (cd_2[ri_16, ri_17] = cd_2) then AuthDecap_Some(k'_2[u_20, u_21]) orfind suchthat defined(s[i''_1], pk_S_4, k'_3, cd_3) && (pkgen(s) = pkgen(s[i''_1])) && (pk_S_4 = pk_S_3) && (cd_3 = cd_2) then AuthDecap_Some(k'_3) orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(s[ri_15], pk_R_2[ri_14, ri_15], k_5[ri_14, ri_15], ce_1[ri_14, ri_15]) && (pkgen(s) = pk_R_2[ri_14, ri_15]) && (pkgen(s[ri_15]) = pk_S_3) && (ce_1[ri_14, ri_15] = cd_2) then AuthDecap_Some(k_5[u_18, u_19]) orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(s[ri_13], pk_R_3[ri_12, ri_13], k_6[ri_12, ri_13], ce_2[ri_12, ri_13]) && (pkgen(s) = pk_R_3[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_S_3) && (ce_2[ri_12, ri_13] = cd_2) then AuthDecap_Some(k_6[u_16, u_17]) else find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_S_3 = pkgen(s[ri_18])) then let AuthDecap_Some(k0: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in k'_2 <-R kemkey_t; AuthDecap_Some(k'_2) else AuthDecap_None else AuthDecap(cd_2, skgen(s), pk_S_3)) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - {616} find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - {662} let AuthDecap_Some(shared_secret_5: kemkey_t) = (pk_S_4: pkey_t <- pk_S; cd_3: kemciph_t <- enc_star; {667}find u_13 = ri_9 <= Qdperuser, u_14 = ri_10 <= N suchthat defined(s[ri_10], pk_S_3[ri_9, ri_10], k'_2[ri_9, ri_10], cd_2[ri_9, ri_10]) && (pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_S_3[ri_9, ri_10] = pk_S_4) && (cd_2[ri_9, ri_10] = cd_3) then AuthDecap_Some(k'_2[u_13, u_14]) orfind suchthat defined(s[i''_1], pk_S_4, k'_3, cd_3) then AuthDecap_Some(k'_3) orfind u_11 = ri_7 <= Qeperuser, u_12 = ri_8 <= N suchthat defined(s[ri_8], pk_R_2[ri_7, ri_8], k_5[ri_7, ri_8], ce_1[ri_7, ri_8]) && (pkgen(s[i''_1]) = pk_R_2[ri_7, ri_8]) && (pkgen(s[ri_8]) = pk_S_4) && (ce_1[ri_7, ri_8] = cd_3) then AuthDecap_Some(k_5[u_11, u_12]) orfind u_9 = ri_5 <= Qeperuser, u_10 = ri_6 <= N suchthat defined(s[ri_6], pk_R_3[ri_5, ri_6], k_6[ri_5, ri_6], ce_2[ri_5, ri_6]) && (pkgen(s[i''_1]) = pk_R_3[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S_4) && (ce_2[ri_5, ri_6] = cd_3) then AuthDecap_Some(k_6[u_9, u_10]) else {762}find u_15 = ri_11 <= N suchthat defined(s[ri_11]) && (pk_S_4 = pkgen(s[ri_11])) then let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4) in k'_3 <-R kemkey_t; AuthDecap_Some(k'_3) else AuthDecap_None else AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4)) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand [probability (#Oaenc * N + N * N) * P_pk_coll] - - Expand if/find/let - - Remove else branch of find at 762 - - Remove let at 662 - - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 662 - - Remove else branch of let at 662 - - A single branch always succeeds in find at 762 - - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 662 - - Remove else branch of let at 662 - - Remove branch 3 in find at 667 - - Remove branch 2 in find at 667 - - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 662 - - Remove else branch of let at 662 - - Replaced defined condition k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1] with k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1] in find at 616 - - Remove let at 323 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 323 - - Remove else branch of let at 323 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 323 - - Remove else branch of let at 323 - - Remove branch 3 in find at 332 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 323 - - Remove else branch of let at 323 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 323 - - Remove else branch of let at 323 - - Replaced defined condition k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] with k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] in find at 240 - - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) (tuple expanded) at 160 - - Remove else branch of let at 160 - - Simplify pattern AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) (tuple expanded) at 26 - - Remove else branch of let at 26 -yields - -Game 20 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - pk_R_3: pkey_t <- pk_2; - let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_R_3, skgen(s)) in - ce: kemciph_t <- ce_2; - k_1: kemkey_t <- k_6; - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - k': kemkey_t <- cst_kemkey_t; - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - pk_R_2: pkey_t <- pk_2; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_R_2, skgen(s)) in - enc_4: kemciph_t <- ce_1; - shared_secret_3: kemkey_t <- k_5; - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - pk_S_3: pkey_t <- pk_3; - cd_2: kemciph_t <- enc_7; - find u_20 = ri_16 <= Qdperuser, u_21 = ri_17 <= N suchthat defined(s[ri_17], pk_S_3[ri_16, ri_17], k'_2[ri_16, ri_17], cd_2[ri_16, ri_17]) && (pkgen(s) = pkgen(s[ri_17])) && (pk_S_3[ri_16, ri_17] = pk_S_3) && (cd_2[ri_16, ri_17] = cd_2) then - shared_secret_4: kemkey_t <- k'_2[u_20, u_21]; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(s[i''_1], pk_S_4, k'_3, cd_3) && (pkgen(s) = pkgen(s[i''_1])) && (pk_S_4 = pk_S_3) && (cd_3 = cd_2) then - shared_secret_4: kemkey_t <- k'_3; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(s[ri_13], pk_R_3[ri_12, ri_13], k_6[ri_12, ri_13], ce_2[ri_12, ri_13]) && (pkgen(s) = pk_R_3[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_S_3) && (ce_2[ri_12, ri_13] = cd_2) then - shared_secret_4: kemkey_t <- k_6[u_16, u_17]; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_S_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in - k'_2 <-R kemkey_t; - shared_secret_4: kemkey_t <- k'_2; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - pk_S_4: pkey_t <- pk_S; - cd_3: kemciph_t <- enc_star; - find u_13 = ri_9 <= Qdperuser, u_14 = ri_10 <= N suchthat defined(s[ri_10], pk_S_3[ri_9, ri_10], k'_2[ri_9, ri_10], cd_2[ri_9, ri_10]) && (pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_S_3[ri_9, ri_10] = pk_S_4) && (cd_2[ri_9, ri_10] = cd_3) then - shared_secret_5: kemkey_t <- k'_2[u_13, u_14]; - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_9 = ri_5 <= Qeperuser, u_10 = ri_6 <= N suchthat defined(s[ri_6], pk_R_3[ri_5, ri_6], k_6[ri_5, ri_6], ce_2[ri_5, ri_6]) && (pkgen(s[i''_1]) = pk_R_3[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S_4) && (ce_2[ri_5, ri_6] = cd_3) then - shared_secret_5: kemkey_t <- k_6[u_9, u_10]; - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4) in - k'_3 <-R kemkey_t; - shared_secret_5: kemkey_t <- k'_3; - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on pk_S_4 (definition point kept, all usages removed) - - Remove assignments on cd_3 (definition removed, all usages removed) - - Remove assignments on shared_secret_5 (definition removed, all usages removed) - - Remove assignments on shared_secret_5 (definition removed, all usages removed) - - Remove assignments on shared_secret_5 (definition removed, all usages removed) - - Remove assignments on pk_S_3 (definition point kept, all usages removed) - - Remove assignments on cd_2 (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on pk_R_2 (definition removed, all usages removed) - - Remove assignments on shared_secret_3 (definition removed, all usages removed) - - Remove assignments on enc_4 (definition kept, array references kept) - - Remove assignments on pk_R_3 (definition removed, all usages removed) - - Remove assignments on k' (definition removed, all usages removed) - - Remove assignments on k_1 (definition removed, all usages removed) - - Remove assignments on k' (definition removed, all usages removed) - - Remove assignments on ce (definition kept, array references kept) -yields - -Game 21 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - pk_S_3: pkey_t <- cst_pkey_t; - {407} find u_20 = ri_16 <= Qdperuser, u_21 = ri_17 <= N suchthat defined(pk_3[ri_16, ri_17], enc_7[ri_16, ri_17], pk_S_3[ri_16, ri_17], pk_S_3[ri_16, ri_17], s[ri_17], k'_2[ri_16, ri_17]) && {419}((pkgen(s) = pkgen(s[ri_17])) && (pk_3[ri_16, ri_17] = pk_3) && (enc_7[ri_16, ri_17] = enc_7)) then - r_4: keys_t <- KeySchedule_auth(k'_2[u_20, u_21], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(pk_S, enc_star, pk_S_4, pk_S_4, s[i''_1], k'_3) && {495}((pkgen(s) = pkgen(s[i''_1])) && (pk_S = pk_3) && (enc_star = enc_7)) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(pk_2[ri_12, ri_13], k_3[ri_12, ri_13], s[ri_13], k_6[ri_12, ri_13], ce_2[ri_12, ri_13]) && {569}((pkgen(s) = pk_2[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_3) && (ce_2[ri_12, ri_13] = enc_7)) then - r_4: keys_t <- KeySchedule_auth(k_6[u_16, u_17], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - pk_S_4: pkey_t <- cst_pkey_t; - {886} find u_13 = ri_9 <= Qdperuser, u_14 = ri_10 <= N suchthat defined(pk_3[ri_9, ri_10], enc_7[ri_9, ri_10], pk_S_3[ri_9, ri_10], pk_S_3[ri_9, ri_10], s[ri_10], k'_2[ri_9, ri_10]) && {898}((pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_3[ri_9, ri_10] = pk_S) && (enc_7[ri_9, ri_10] = enc_star)) then - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, u_14], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_9 = ri_5 <= Qeperuser, u_10 = ri_6 <= N suchthat defined(pk_2[ri_5, ri_6], k_3[ri_5, ri_6], s[ri_6], k_6[ri_5, ri_6], ce_2[ri_5, ri_6]) && {952}((pkgen(s[i''_1]) = pk_2[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S) && (ce_2[ri_5, ri_6] = enc_star)) then - r_5: keys_t <- KeySchedule_auth(k_6[u_9, u_10], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N * N * P_pk_coll] - - Simplification pass - - Replaced ((pkgen(s[i''_1]) = pk_2[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S) && (ce_2[ri_5, ri_6] = enc_star)) with ((i''_1 = u_8[ri_5, ri_6]) && (ri_6 = i'_1) && (ce_2[ri_5, ri_6] = enc_star)) at 952 - - Remove branch 2 in find at 886 - - Replaced ((pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_3[ri_9, ri_10] = pk_S) && (enc_7[ri_9, ri_10] = enc_star)) with ((i''_1 = ri_10) && (u_22[ri_9, ri_10] = i'_1) && (enc_7[ri_9, ri_10] = enc_star)) at 898 - - In branch 1 of find at 886, substituting u_14 with i''_1 - - Replaced defined condition pk_3[ri_9, ri_10], enc_7[ri_9, ri_10], pk_S_3[ri_9, ri_10], pk_S_3[ri_9, ri_10], s[ri_10], k'_2[ri_9, ri_10] with k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1] in find at 886 - - Replaced ((pkgen(s) = pk_2[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_3) && (ce_2[ri_12, ri_13] = enc_7)) with ((i = u_8[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_3) && (ce_2[ri_12, ri_13] = enc_7)) at 569 - - Remove branch 3 in find at 407 - - Replaced ((pkgen(s) = pkgen(s[i''_1])) && (pk_S = pk_3) && (enc_star = enc_7)) with ((i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7)) at 495 - - Replaced defined condition pk_S, enc_star, pk_S_4, pk_S_4, s[i''_1], k'_3 with k'_3, enc_star, pk_S, i''_1 in find at 407 - - Replaced ((pkgen(s) = pkgen(s[ri_17])) && (pk_3[ri_16, ri_17] = pk_3) && (enc_7[ri_16, ri_17] = enc_7)) with ((i = ri_17) && (pk_3[ri_16, ri_17] = pk_3) && (enc_7[ri_16, ri_17] = enc_7)) at 419 - - In branch 1 of find at 407, substituting u_21 with i - - Replaced defined condition pk_3[ri_16, ri_17], enc_7[ri_16, ri_17], pk_S_3[ri_16, ri_17], pk_S_3[ri_16, ri_17], s[ri_17], k'_2[ri_16, ri_17] with k'_2[ri_16], enc_7[ri_16], pk_3[ri_16] in find at 407 -yields - -Game 22 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - pk_S_3: pkey_t <- cst_pkey_t; - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && {414}((i = i) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7)) then - u_21 <= N <- i; - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - pk_S_4: pkey_t <- cst_pkey_t; - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && {796}((i''_1 = i''_1) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star)) then - u_14 <= N <- i''_1; - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced ((i''_1 = i''_1) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star)) with ((u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star)) at 796 - - Replaced ((i = i) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7)) with ((pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7)) at 414 -yields - -Game 23 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - pk_S_3: pkey_t <- cst_pkey_t; - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - u_21 <= N <- i; - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - pk_S_4: pkey_t <- cst_pkey_t; - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - u_14 <= N <- i''_1; - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to pk_S_4 - - Move assignment to pk_S_3 -yields - -Game 24 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - u_21 <= N <- i; - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - u_14 <= N <- i''_1; - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on u_14 (definition removed, all usages removed) - - Remove assignments on u_21 (definition removed, all usages removed) -yields - -Game 25 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence eliminate_failing(AuthEncap) - - Equivalence eliminate_failing(AuthEncap) -yields - -Game 26 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - {26} let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = (k_8: kemseed_t <- k_3; pk_5: pkey_t <- pk_2; sk_2: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key_r(k_8, pk_5, sk_2), AuthEncap_enc_r(k_8, pk_5, sk_2))) in - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in - enc_4: kemciph_t <- ce; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - {226} let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = (k_7: kemseed_t <- k_2; pk_4: pkey_t <- pk_2; sk_1: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key_r(k_7, pk_4, sk_1), AuthEncap_enc_r(k_7, pk_4, sk_1))) in - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_4, ct_8)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) (tuple expanded) at 226 - - Remove else branch of let at 226 - - Simplify pattern AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) (tuple expanded) at 26 - - Remove else branch of let at 26 -yields - -Game 27 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - k_8: kemseed_t <- k_3; - pk_5: pkey_t <- pk_2; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_8, pk_5, sk_2); - k_6: kemkey_t <- AuthEncap_key_r(k_8, pk_5, sk_2); - ce: kemciph_t <- ce_2; - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - k_7: kemseed_t <- k_2; - pk_4: pkey_t <- pk_2; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_7, pk_4, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_7, pk_4, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on k_7 (definition removed, all usages removed) - - Remove assignments on pk_4 (definition removed, all usages removed) - - Remove assignments on k_8 (definition removed, all usages removed) - - Remove assignments on pk_5 (definition removed, all usages removed) - - Remove assignments on k_6 (definition removed, all usages removed) - - Remove assignments on ce (definition removed, all usages removed) -yields - -Game 28 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - {181} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - {592} find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition ce_2[ri, i'_1], ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1] with k'_1[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1] in find at 592 - - Replaced defined condition ce_2[ri_2, ri_3], ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] with k'_1[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] in find at 181 -yields - -Game 29 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2 <-R kemkey_t; - r_4: keys_t <- KeySchedule_auth(k'_2, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_star); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence prf(KeySchedule_auth) with k'_3, k'_2, k'_1 [probability Adv_PRF_KeySchedule(time(context for game 29) + time, #Oaenc + 1 + #Oadec, 1 + #Oaenc + Qdperuser + #Oadec)] - - Equivalence prf(KeySchedule_auth) with variables: k'_1 -> k_1, k'_2 -> k_1, k'_3 -> k_1 -yields - -Game 30 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - r_3: keys_t <- (x: bitstring <- info_5; {52}find [unique] suchthat defined(x, r_6) && {57}(x = x) then r_6 orfind u_37 = ri_43 <= Qdperuser, u_38 = ri_44 <= N suchthat defined(u_7[ri_43, ri_44], u_6[ri_43, ri_44], x_4[ri_43, ri_44], r_10[ri_43, ri_44]) && {75}((u_6[ri_43, ri_44] = iae) && (u_7[ri_43, ri_44] = i) && (x = x_4[ri_43, ri_44])) then r_10[u_37, u_38] orfind suchthat defined(i'_1, u_4, x_7, r_13) && {101}((u_4 = iae) && (i'_1 = i) && (x = x_7)) then r_13 else r_6 <-R keys_t; r_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - r_4: keys_t <- (x_4: bitstring <- info_6; find [unique] suchthat defined(x[u_6, u_7], r_6[u_6, u_7]) && (x_4 = x[u_6, u_7]) then r_6[u_6, u_7] orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(u_7, u_7[ri_39, ri_40], u_6, u_6[ri_39, ri_40], x_4[ri_39, ri_40], r_10[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (x_4 = x_4[ri_39, ri_40]) then r_10[u_35, u_36] orfind suchthat defined(u_7, i'_1, u_6, u_4, x_7, r_13) && (u_4 = u_6) && (i'_1 = u_7) && (x_4 = x_7) then r_13 else r_10 <-R keys_t; r_10); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- (x_2: bitstring <- info_6; find [unique] suchthat defined(x_1[u_20], r_7[u_20]) && (x_2 = x_1[u_20]) then r_7[u_20] orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(u_20, u_20[ri_33, ri_34], x_2[ri_33, ri_34], r_8[ri_33, ri_34]) && (u_20[ri_33, ri_34] = u_20) && (ri_34 = i) && (x_2 = x_2[ri_33, ri_34]) then r_8[u_31, u_32] orfind suchthat defined(i''_1, u_20, u_13, x_6, r_12) && (u_13 = u_20) && (i''_1 = i) && (x_2 = x_6) then r_12 else r_8 <-R keys_t; r_8); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- (x_3: bitstring <- info_6; find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (x_3 = x_3[ri_37, ri_38]) then r_9[u_33, u_34] orfind suchthat defined(x_5, r_11) && (x_3 = x_5) then r_11 else r_9 <-R keys_t; r_9); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2: kemkey_t <- cst_kemkey_t; - r_4: keys_t <- (x_1: bitstring <- info_6; {684}find [unique] suchthat defined(x_1, r_7) && {689}(x_1 = x_1) then r_7 orfind u_29 = ri_29 <= Qdperuser, u_30 = ri_30 <= N suchthat defined(u_20[ri_29, ri_30], x_2[ri_29, ri_30], r_8[ri_29, ri_30]) && {705}((u_20[ri_29, ri_30] = iad) && (ri_30 = i) && (x_1 = x_2[ri_29, ri_30])) then r_8[u_29, u_30] orfind suchthat defined(i''_1, u_13, x_6, r_12) && {729}((u_13 = iad) && (i''_1 = i) && (x_1 = x_6)) then r_12 else r_7 <-R keys_t; r_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - r_5: keys_t <- (x_7: bitstring <- info_star; {935}find [unique] suchthat defined(x[u_4, i'_1], r_6[u_4, i'_1]) && (x_7 = x[u_4, i'_1]) then r_6[u_4, i'_1] orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(i'_1, u_7[ri_25, ri_26], u_4, u_6[ri_25, ri_26], x_4[ri_25, ri_26], r_10[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (x_7 = x_4[ri_25, ri_26]) then r_10[u_27, u_28] orfind suchthat defined(i'_1, u_4, x_7, r_13) && {976}((u_4 = u_4) && (i'_1 = i'_1) && (x_7 = x_7)) then r_13 else r_13 <-R keys_t; r_13); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- (x_6: bitstring <- info_star; {1031}find [unique] suchthat defined(x_1[u_13, i''_1], r_7[u_13, i''_1]) && (x_6 = x_1[u_13, i''_1]) then r_7[u_13, i''_1] orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(i''_1, u_13, u_20[ri_21, ri_22], x_2[ri_21, ri_22], r_8[ri_21, ri_22]) && (u_20[ri_21, ri_22] = u_13) && (ri_22 = i''_1) && (x_6 = x_2[ri_21, ri_22]) then r_8[u_25, u_26] orfind suchthat defined(i''_1, u_13, x_6, r_12) && {1068}((u_13 = u_13) && (i''_1 = i''_1) && (x_6 = x_6)) then r_12 else r_12 <-R keys_t; r_12); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3: kemkey_t <- cst_kemkey_t; - r_5: keys_t <- (x_5: bitstring <- info_star; {1114}find [unique] u_23 = ri_19 <= Qdperuser, u_24 = ri_20 <= N suchthat defined(x_3[ri_19, ri_20], r_9[ri_19, ri_20]) && {1119}(x_5 = x_3[ri_19, ri_20]) then r_9[u_23, u_24] orfind suchthat defined(x_5, r_11) && {1127}(x_5 = x_5) then r_11 else r_11 <-R keys_t; r_11); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify (non-expanded game) [probability N * N * P_pk_coll] - - Simplification pass - - Replaced ((u_4 = iae) && (i'_1 = i) && (x = x_7)) with false at 101 - - Remove branch 3 in find at 52 - - Replaced ((u_6[ri_43, ri_44] = iae) && (u_7[ri_43, ri_44] = i) && (x = x_4[ri_43, ri_44])) with false at 75 - - Remove branch 2 in find at 52 - - Replaced (x = x) with true at 57 - - Replaced ((u_13 = iad) && (i''_1 = i) && (x_1 = x_6)) with false at 729 - - Remove branch 3 in find at 684 - - Replaced ((u_20[ri_29, ri_30] = iad) && (ri_30 = i) && (x_1 = x_2[ri_29, ri_30])) with false at 705 - - Remove branch 2 in find at 684 - - Replaced (x_1 = x_1) with true at 689 - - Replaced ((u_4 = u_4) && (i'_1 = i'_1) && (x_7 = x_7)) with false at 976 - - Remove branch 3 in find at 935 - - Replaced ((u_13 = u_13) && (i''_1 = i''_1) && (x_6 = x_6)) with false at 1068 - - Remove branch 3 in find at 1031 - - Replaced (x_5 = x_5) with true at 1127 - - Replaced (x_5 = x_3[ri_19, ri_20]) with false at 1119 - - Remove branch 1 in find at 1114 -yields - -Game 31 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - r_3: keys_t <- (x: bitstring <- info_5; {52}if defined(x, r_6) then r_6 else r_6 <-R keys_t; r_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - r_4: keys_t <- (x_4: bitstring <- info_6; {229}find [unique] suchthat defined(x[u_6, u_7], r_6[u_6, u_7]) && (x_4 = x[u_6, u_7]) then r_6[u_6, u_7] orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(u_7, u_7[ri_39, ri_40], u_6, u_6[ri_39, ri_40], x_4[ri_39, ri_40], r_10[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (x_4 = x_4[ri_39, ri_40]) then r_10[u_35, u_36] orfind suchthat defined(u_7, i'_1, u_6, u_4, x_7, r_13) && (u_4 = u_6) && (i'_1 = u_7) && (x_4 = x_7) then r_13 else r_10 <-R keys_t; r_10); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - r_4: keys_t <- (x_2: bitstring <- info_6; {395}find [unique] suchthat defined(x_1[u_20], r_7[u_20]) && (x_2 = x_1[u_20]) then r_7[u_20] orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(u_20, u_20[ri_33, ri_34], x_2[ri_33, ri_34], r_8[ri_33, ri_34]) && (u_20[ri_33, ri_34] = u_20) && (ri_34 = i) && (x_2 = x_2[ri_33, ri_34]) then r_8[u_31, u_32] orfind suchthat defined(i''_1, u_20, u_13, x_6, r_12) && (u_13 = u_20) && (i''_1 = i) && (x_2 = x_6) then r_12 else r_8 <-R keys_t; r_8); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - r_4: keys_t <- (x_3: bitstring <- info_6; find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (x_3 = x_3[ri_37, ri_38]) then r_9[u_33, u_34] orfind suchthat defined(x_5, r_11) && (x_3 = x_5) then r_11 else r_9 <-R keys_t; r_9); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2: kemkey_t <- cst_kemkey_t; - r_4: keys_t <- (x_1: bitstring <- info_6; {630}if defined(x_1, r_7) then r_7 else r_7 <-R keys_t; r_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - r_5: keys_t <- (x_7: bitstring <- info_star; {831}find [unique] suchthat defined(x[u_4, i'_1], r_6[u_4, i'_1]) && (x_7 = x[u_4, i'_1]) then r_6[u_4, i'_1] orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(i'_1, u_7[ri_25, ri_26], u_4, u_6[ri_25, ri_26], x_4[ri_25, ri_26], r_10[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (x_7 = x_4[ri_25, ri_26]) then r_10[u_27, u_28] else r_13 <-R keys_t; r_13); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - r_5: keys_t <- (x_6: bitstring <- info_star; {915}find [unique] suchthat defined(x_1[u_13, i''_1], r_7[u_13, i''_1]) && (x_6 = x_1[u_13, i''_1]) then r_7[u_13, i''_1] orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(i''_1, u_13, u_20[ri_21, ri_22], x_2[ri_21, ri_22], r_8[ri_21, ri_22]) && (u_20[ri_21, ri_22] = u_13) && (ri_22 = i''_1) && (x_6 = x_2[ri_21, ri_22]) then r_8[u_25, u_26] else r_12 <-R keys_t; r_12); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3: kemkey_t <- cst_kemkey_t; - r_5: keys_t <- (x_5: bitstring <- info_star; {986}if defined(x_5, r_11) then r_11 else r_11 <-R keys_t; r_11); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Remove branch 1 in find at 986 - - Find at 986 removed (else branch kept if any) - - Replaced defined condition i''_1, u_13, u_20[ri_21, ri_22], x_2[ri_21, ri_22], r_8[ri_21, ri_22] with u_20[ri_21, ri_22], x_2[ri_21, ri_22], r_8[ri_21, ri_22] in find at 915 - - Replaced defined condition i'_1, u_7[ri_25, ri_26], u_4, u_6[ri_25, ri_26], x_4[ri_25, ri_26], r_10[ri_25, ri_26] with u_7[ri_25, ri_26], u_6[ri_25, ri_26], x_4[ri_25, ri_26], r_10[ri_25, ri_26] in find at 831 - - Remove branch 1 in find at 630 - - Find at 630 removed (else branch kept if any) - - Replaced defined condition i''_1, u_20, u_13, x_6, r_12 with i''_1, u_13, x_6, r_12 in find at 395 - - Replaced defined condition u_20, u_20[ri_33, ri_34], x_2[ri_33, ri_34], r_8[ri_33, ri_34] with u_20[ri_33, ri_34], x_2[ri_33, ri_34], r_8[ri_33, ri_34] in find at 395 - - Replaced defined condition u_7, i'_1, u_6, u_4, x_7, r_13 with i'_1, u_4, x_7, r_13 in find at 229 - - Replaced defined condition u_7, u_7[ri_39, ri_40], u_6, u_6[ri_39, ri_40], x_4[ri_39, ri_40], r_10[ri_39, ri_40] with u_7[ri_39, ri_40], u_6[ri_39, ri_40], x_4[ri_39, ri_40], r_10[ri_39, ri_40] in find at 229 - - Remove branch 1 in find at 52 - - Find at 52 removed (else branch kept if any) -yields - -Game 32 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - x: bitstring <- info_5; - r_6 <-R keys_t; - r_3: keys_t <- r_6; - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - x_4: bitstring <- info_6; - find [unique] suchthat defined(x[u_6, u_7], r_6[u_6, u_7]) && (x_4 = x[u_6, u_7]) then - r_4: keys_t <- r_6[u_6, u_7]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(u_7[ri_39, ri_40], u_6[ri_39, ri_40], x_4[ri_39, ri_40], r_10[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (x_4 = x_4[ri_39, ri_40]) then - r_4: keys_t <- r_10[u_35, u_36]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(i'_1, u_4, x_7, r_13) && (u_4 = u_6) && (i'_1 = u_7) && (x_4 = x_7) then - r_4: keys_t <- r_13; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - r_4: keys_t <- r_10; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - x_2: bitstring <- info_6; - find [unique] suchthat defined(x_1[u_20], r_7[u_20]) && (x_2 = x_1[u_20]) then - r_4: keys_t <- r_7[u_20]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(u_20[ri_33, ri_34], x_2[ri_33, ri_34], r_8[ri_33, ri_34]) && (u_20[ri_33, ri_34] = u_20) && (ri_34 = i) && (x_2 = x_2[ri_33, ri_34]) then - r_4: keys_t <- r_8[u_31, u_32]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(i''_1, u_13, x_6, r_12) && (u_13 = u_20) && (i''_1 = i) && (x_2 = x_6) then - r_4: keys_t <- r_12; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - r_4: keys_t <- r_8; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - x_3: bitstring <- info_6; - find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (x_3 = x_3[ri_37, ri_38]) then - r_4: keys_t <- r_9[u_33, u_34]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(x_5, r_11) && (x_3 = x_5) then - r_4: keys_t <- r_11; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - r_4: keys_t <- r_9; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - k'_2: kemkey_t <- cst_kemkey_t; - x_1: bitstring <- info_6; - r_7 <-R keys_t; - r_4: keys_t <- r_7; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - x_7: bitstring <- info_star; - find [unique] suchthat defined(x[u_4, i'_1], r_6[u_4, i'_1]) && (x_7 = x[u_4, i'_1]) then - r_5: keys_t <- r_6[u_4, i'_1]; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(u_7[ri_25, ri_26], u_6[ri_25, ri_26], x_4[ri_25, ri_26], r_10[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (x_7 = x_4[ri_25, ri_26]) then - r_5: keys_t <- r_10[u_27, u_28]; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - r_5: keys_t <- r_13; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - x_6: bitstring <- info_star; - find [unique] suchthat defined(x_1[u_13, i''_1], r_7[u_13, i''_1]) && (x_6 = x_1[u_13, i''_1]) then - r_5: keys_t <- r_7[u_13, i''_1]; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(u_20[ri_21, ri_22], x_2[ri_21, ri_22], r_8[ri_21, ri_22]) && (u_20[ri_21, ri_22] = u_13) && (ri_22 = i''_1) && (x_6 = x_2[ri_21, ri_22]) then - r_5: keys_t <- r_8[u_25, u_26]; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - r_5: keys_t <- r_12; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - k'_3: kemkey_t <- cst_kemkey_t; - x_5: bitstring <- info_star; - r_11 <-R keys_t; - r_5: keys_t <- r_11; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on k'_3 (definition removed, all usages removed) - - Remove assignments on x_5 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on x_6 (definition point kept, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on x_7 (definition point kept, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on k'_2 (definition removed, all usages removed) - - Remove assignments on x_1 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on x_2 (definition point kept, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on x_3 (definition point kept, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on x_4 (definition point kept, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on x (definition removed, all usages removed) - - Remove assignments on r_3 (definition removed, all usages removed) -yields - -Game 33 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - {177} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - x_4: bitstring <- cst_bitstring; - {208} find [unique] suchthat defined(info_5[u_6, u_7], ce_2[u_6, u_7], r_6[u_6, u_7]) && (info_6 = info_5[u_6, u_7]) then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(info_6[ri_39, ri_40], x_4[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40], r_10[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (info_6 = info_6[ri_39, ri_40]) then - nonce_9: nonce_t <- get2(r_10[u_35, u_36]); - key_8: key_t <- get1(r_10[u_35, u_36]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(info_star, x_7, i'_1, u_4, r_13) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - {458} find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - x_2: bitstring <- cst_bitstring; - {482} find [unique] suchthat defined(info_6[u_20], r_7[u_20], r_7[u_20]) && (info_6 = info_6[u_20]) then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(info_6[ri_33, ri_34], x_2[ri_33, ri_34], u_20[ri_33, ri_34], r_8[ri_33, ri_34]) && (u_20[ri_33, ri_34] = u_20) && (ri_34 = i) && (info_6 = info_6[ri_33, ri_34]) then - nonce_9: nonce_t <- get2(r_8[u_31, u_32]); - key_8: key_t <- get1(r_8[u_31, u_32]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(info_star, x_6, i''_1, u_13, r_12) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_12); - key_8: key_t <- get1(r_12); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_11, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - x_3: bitstring <- cst_bitstring; - {729} find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(info_6[ri_37, ri_38], x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (info_6 = info_6[ri_37, ri_38]) then - nonce_9: nonce_t <- get2(r_9[u_33, u_34]); - key_8: key_t <- get1(r_9[u_33, u_34]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(info_star, r_11, r_11) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_11); - key_8: key_t <- get1(r_11); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else -{1057} find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - x_7: bitstring <- cst_bitstring; -{1077} find [unique] suchthat defined(info_5[u_4, i'_1], ce_2[u_4, i'_1], r_6[u_4, i'_1]) && (info_star = info_5[u_4, i'_1]) then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(info_6[ri_25, ri_26], x_4[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26], r_10[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else -{1183} find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - x_6: bitstring <- cst_bitstring; -{1203} find [unique] suchthat defined(info_6[u_13, i''_1], r_7[u_13, i''_1], r_7[u_13, i''_1]) && (info_star = info_6[u_13, i''_1]) then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(info_6[ri_21, ri_22], x_2[ri_21, ri_22], u_20[ri_21, ri_22], r_8[ri_21, ri_22]) && (u_20[ri_21, ri_22] = u_13) && (ri_22 = i''_1) && (info_star = info_6[ri_21, ri_22]) then - nonce_12: nonce_t <- get2(r_8[u_25, u_26]); - key_10: key_t <- get1(r_8[u_25, u_26]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - nonce_12: nonce_t <- get2(r_12); - key_10: key_t <- get1(r_12); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_11 <-R keys_t; - nonce_12: nonce_t <- get2(r_11); - key_10: key_t <- get1(r_11); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N * N * P_pk_coll] - - Simplification pass - - In branch 2 of find at 1203, substituting u_26 with i''_1 - - Replaced defined condition info_6[ri_21, ri_22], x_2[ri_21, ri_22], u_20[ri_21, ri_22], r_8[ri_21, ri_22] with r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1] in find at 1203 - - Replaced defined condition info_6[u_13, i''_1], r_7[u_13, i''_1], r_7[u_13, i''_1] with an empty condition in find at 1203 - - Replaced defined condition r_7[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1] with r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1] in find at 1183 - - Replaced defined condition info_6[ri_25, ri_26], x_4[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26], r_10[ri_25, ri_26] with r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26] in find at 1077 - - Replaced defined condition info_5[u_4, i'_1], ce_2[u_4, i'_1], r_6[u_4, i'_1] with an empty condition in find at 1077 - - Replaced defined condition k'_1[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1] with r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1] in find at 1057 - - Replaced defined condition info_star, r_11, r_11 with an empty condition in find at 729 - - In branch 1 of find at 729, substituting u_34 with i - - Replaced defined condition info_6[ri_37, ri_38], x_3[ri_37, ri_38], r_9[ri_37, ri_38] with r_9[ri_37], info_6[ri_37] in find at 729 - - Replaced defined condition r_11, enc_star, pk_S, i''_1 with r_11, info_star, enc_star, pk_S, i''_1 in find at 458 - - Replaced defined condition info_star, x_6, i''_1, u_13, r_12 with r_12, info_star, i''_1, u_13 in find at 482 - - In branch 2 of find at 482, substituting u_32 with i - - Replaced defined condition info_6[ri_33, ri_34], x_2[ri_33, ri_34], u_20[ri_33, ri_34], r_8[ri_33, ri_34] with r_8[ri_33], info_6[ri_33], u_20[ri_33] in find at 482 - - Replaced defined condition info_6[u_20], r_7[u_20], r_7[u_20] with an empty condition in find at 482 - - Replaced defined condition r_7[ri_16], enc_7[ri_16], pk_3[ri_16] with r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16] in find at 458 - - Replaced defined condition info_star, x_7, i'_1, u_4, r_13 with r_13, info_star, i'_1, u_4 in find at 208 - - In branch 2 of find at 208, substituting u_36 with i - - Replaced defined condition info_6[ri_39, ri_40], x_4[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40], r_10[ri_39, ri_40] with r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39] in find at 208 - - Replaced defined condition info_5[u_6, u_7], ce_2[u_6, u_7], r_6[u_6, u_7] with an empty condition in find at 208 - - Replaced defined condition k'_1[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] with r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] in find at 177 -yields - -Game 34 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - x_4: bitstring <- cst_bitstring; - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - u_36 <= N <- i; - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - x_2: bitstring <- cst_bitstring; - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && {524}((u_20[ri_33] = u_20) && (i = i) && (info_6 = info_6[ri_33])) then - u_32 <= N <- i; - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_12); - key_8: key_t <- get1(r_12); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - x_3: bitstring <- cst_bitstring; - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - u_34 <= N <- i; - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- get2(r_11); - key_8: key_t <- get1(r_11); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - x_7: bitstring <- cst_bitstring; - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - x_6: bitstring <- cst_bitstring; - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && {1199}((u_20[ri_21, i''_1] = u_13) && (i''_1 = i''_1) && (info_star = info_6[ri_21, i''_1])) then - u_26 <= N <- i''_1; - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - nonce_12: nonce_t <- get2(r_12); - key_10: key_t <- get1(r_12); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_11 <-R keys_t; - nonce_12: nonce_t <- get2(r_11); - key_10: key_t <- get1(r_11); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N * N * P_pk_coll] - - Simplification pass - - Replaced ((u_20[ri_21, i''_1] = u_13) && (i''_1 = i''_1) && (info_star = info_6[ri_21, i''_1])) with ((u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1])) at 1199 - - Replaced ((u_20[ri_33] = u_20) && (i = i) && (info_6 = info_6[ri_33])) with ((u_20[ri_33] = u_20) && (info_6 = info_6[ri_33])) at 524 -yields - -Game 35 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - x_4: bitstring <- cst_bitstring; - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - u_36 <= N <- i; - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - x_2: bitstring <- cst_bitstring; - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - u_32 <= N <- i; - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_12); - key_8: key_t <- get1(r_12); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - x_3: bitstring <- cst_bitstring; - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - u_34 <= N <- i; - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- get2(r_11); - key_8: key_t <- get1(r_11); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - x_7: bitstring <- cst_bitstring; - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - x_6: bitstring <- cst_bitstring; - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - u_26 <= N <- i''_1; - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - nonce_12: nonce_t <- get2(r_12); - key_10: key_t <- get1(r_12); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_11 <-R keys_t; - nonce_12: nonce_t <- get2(r_11); - key_10: key_t <- get1(r_11); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to x_6 - - Move assignment to x_7 - - Move assignment to x_2 - - Move assignment to x_3 - - Move assignment to x_4 -yields - -Game 36 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - k'_1: kemkey_t <- cst_kemkey_t; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - k'_1: kemkey_t <- cst_kemkey_t; - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - u_36 <= N <- i; - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - u_32 <= N <- i; - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_12); - key_8: key_t <- get1(r_12); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - u_34 <= N <- i; - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- get2(r_11); - key_8: key_t <- get1(r_11); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - u_26 <= N <- i''_1; - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - nonce_12: nonce_t <- get2(r_12); - key_10: key_t <- get1(r_12); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_11 <-R keys_t; - nonce_12: nonce_t <- get2(r_11); - key_10: key_t <- get1(r_11); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on u_26 (definition removed, all usages removed) - - Remove assignments on u_32 (definition removed, all usages removed) - - Remove assignments on u_34 (definition removed, all usages removed) - - Remove assignments on u_36 (definition removed, all usages removed) - - Remove assignments on k'_1 (definition removed, all usages removed) - - Remove assignments on k'_1 (definition removed, all usages removed) -yields - -Game 37 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_12); - key_8: key_t <- get1(r_12); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- get2(r_11); - key_8: key_t <- get1(r_11); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - nonce_12: nonce_t <- get2(r_12); - key_10: key_t <- get1(r_12); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - r_11 <-R keys_t; - nonce_12: nonce_t <- get2(r_11); - key_10: key_t <- get1(r_11); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_11 -> r -yields - -Game 38 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_12); - key_8: key_t <- get1(r_12); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_12 <-R keys_t; - nonce_12: nonce_t <- get2(r_12); - key_10: key_t <- get1(r_12); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_12 -> r -yields - -Game 39 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- get2(r_13); - key_8: key_t <- get1(r_13); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - r_13 <-R keys_t; - nonce_12: nonce_t <- get2(r_13); - key_10: key_t <- get1(r_13); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_13 -> r -yields - -Game 40 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_2; - key_8: key_t <- part1_2; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- get2(r_7[u_20]); - key_8: key_t <- get1(r_7[u_20]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_7 <-R keys_t; - nonce_9: nonce_t <- get2(r_7); - key_8: key_t <- get1(r_7); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_13: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_2; - key_10: key_t <- part1_2; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); - key_10: key_t <- get1(r_7[u_13, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_7 -> r -yields - -Game 41 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_2; - key_8: key_t <- part1_2; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- part2_3[u_20]; - key_8: key_t <- part1_3[u_20]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- get2(r_9[u_33]); - key_8: key_t <- get1(r_9[u_33]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_9 <-R keys_t; - nonce_9: nonce_t <- get2(r_9); - key_8: key_t <- get1(r_9); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_3; - key_8: key_t <- part1_3; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_13: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_2; - key_10: key_t <- part1_2; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- part2_3[u_13, i''_1]; - key_10: key_t <- part1_3[u_13, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_9 -> r -yields - -Game 42 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_2; - key_8: key_t <- part1_2; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- part2_3[u_20]; - key_8: key_t <- part1_3[u_20]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- get2(r_8[u_31]); - key_8: key_t <- get1(r_8[u_31]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_8 <-R keys_t; - nonce_9: nonce_t <- get2(r_8); - key_8: key_t <- get1(r_8); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- part2_4[u_33]; - key_8: key_t <- part1_4[u_33]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - r_9: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_4; - key_8: key_t <- part1_4; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_3; - key_8: key_t <- part1_3; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_13: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_2; - key_10: key_t <- part1_2; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- part2_3[u_13, i''_1]; - key_10: key_t <- part1_3[u_13, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); - key_10: key_t <- get1(r_8[u_25, i''_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_8 -> r -yields - -Game 43 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- get2(r_10[u_35]); - key_8: key_t <- get1(r_10[u_35]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_2; - key_8: key_t <- part1_2; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_10 <-R keys_t; - nonce_9: nonce_t <- get2(r_10); - key_8: key_t <- get1(r_10); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- part2_3[u_20]; - key_8: key_t <- part1_3[u_20]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- part2_5[u_31]; - key_8: key_t <- part1_5[u_31]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - r_8: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_5; - key_8: key_t <- part1_5; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- part2_4[u_33]; - key_8: key_t <- part1_4[u_33]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - r_9: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_4; - key_8: key_t <- part1_4; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_3; - key_8: key_t <- part1_3; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- get2(r_10[u_27, u_28]); - key_10: key_t <- get1(r_10[u_27, u_28]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_13: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_2; - key_10: key_t <- part1_2; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- part2_3[u_13, i''_1]; - key_10: key_t <- part1_3[u_13, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- part2_5[u_25, i''_1]; - key_10: key_t <- part1_5[u_25, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_10 -> r -yields - -Game 44 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - r_6 <-R keys_t; - nonce_6: nonce_t <- get2(r_6); - key_6: key_t <- get1(r_6); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- get2(r_6[u_6, u_7]); - key_8: key_t <- get1(r_6[u_6, u_7]); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- part2_6[u_35]; - key_8: key_t <- part1_6[u_35]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_2; - key_8: key_t <- part1_2; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - r_10: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_6; - key_8: key_t <- part1_6; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- part2_3[u_20]; - key_8: key_t <- part1_3[u_20]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- part2_5[u_31]; - key_8: key_t <- part1_5[u_31]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - r_8: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_5; - key_8: key_t <- part1_5; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- part2_4[u_33]; - key_8: key_t <- part1_4[u_33]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - r_9: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_4; - key_8: key_t <- part1_4; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_3; - key_8: key_t <- part1_3; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); - key_10: key_t <- get1(r_6[u_4, i'_1]); - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- part2_6[u_27, u_28]; - key_10: key_t <- part1_6[u_27, u_28]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_13: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_2; - key_10: key_t <- part1_2; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- part2_3[u_13, i''_1]; - key_10: key_t <- part1_3[u_13, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- part2_5[u_25, i''_1]; - key_10: key_t <- part1_5[u_25, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_6 -> r -yields - -Game 45 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - r_6: keys_t <- cst_keys_t; - nonce_6: nonce_t <- part2_7; - key_6: key_t <- part1_7; - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part2_7[ri_2, ri_3], part1_7[ri_2, ri_3], r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - nonce_9: nonce_t <- part2_7[u_6, u_7]; - key_8: key_t <- part1_7[u_6, u_7]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - nonce_9: nonce_t <- part2_6[u_35]; - key_8: key_t <- part1_6[u_35]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_2; - key_8: key_t <- part1_2; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - r_10: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_6; - key_8: key_t <- part1_6; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - nonce_9: nonce_t <- part2_3[u_20]; - key_8: key_t <- part1_3[u_20]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - nonce_9: nonce_t <- part2_5[u_31]; - key_8: key_t <- part1_5[u_31]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - r_8: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_5; - key_8: key_t <- part1_5; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - nonce_9: nonce_t <- part2_4[u_33]; - key_8: key_t <- part1_4[u_33]; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - nonce_9: nonce_t <- part2; - key_8: key_t <- part1; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - r_9: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_4; - key_8: key_t <- part1_4; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_3; - key_8: key_t <- part1_3; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part2_7[ri, i'_1], part1_7[ri, i'_1], r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - nonce_12: nonce_t <- part2_7[u_4, i'_1]; - key_10: key_t <- part1_7[u_4, i'_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - nonce_12: nonce_t <- part2_6[u_27, u_28]; - key_10: key_t <- part1_6[u_27, u_28]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_13: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_2; - key_10: key_t <- part1_2; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - nonce_12: nonce_t <- part2_3[u_13, i''_1]; - key_10: key_t <- part1_3[u_13, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - nonce_12: nonce_t <- part2_5[u_25, i''_1]; - key_10: key_t <- part1_5[u_25, i''_1]; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_12: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2_1; - key_10: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - r_11: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on r_11 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on r_12 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on r_13 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on r_7 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on r_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on r_9 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on r_10 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on r_6 (definition removed, all usages removed) - - Remove assignments on nonce_6 (definition removed, all usages removed) - - Remove assignments on key_6 (definition removed, all usages removed) -yields - -Game 46 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - ct_8: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - {160} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part2_7[ri_2, ri_3], part1_7[ri_2, ri_3], part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - {195} find [unique] suchthat info_6 = info_5[u_6, u_7] then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_7[u_6, u_7], part2_7[u_6, u_7]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_6[u_35], part2_6[u_35]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_2, part2_2) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_6, part2_6) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - {377} find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - {405} find [unique] suchthat info_6 = info_6[u_20] then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_3[u_20], part2_3[u_20]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_5[u_31], part2_5[u_31]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_5, part2_5) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - {584} find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1, part2) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_3, part2_3) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - {863} find u_4 = ri <= Qeperuser suchthat defined(part2_7[ri, i'_1], part1_7[ri, i'_1], part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - {887} find [unique] suchthat info_star = info_5[u_4, i'_1] then - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_7[u_4, i'_1], part2_7[u_4, i'_1]) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_6[u_27, u_28], part2_6[u_27, u_28]) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_2, part2_2) in - event_abort adv_wins - else - return(bottom) - else - {965} find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - {989} find [unique] suchthat info_star = info_6[u_13, i''_1] then - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_3[u_13, i''_1], part2_3[u_13, i''_1]) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_5[u_25, i''_1], part2_5[u_25, i''_1]) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_1, part2_1) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1, part2) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N * N * P_pk_coll] - - Simplification pass - - Replaced defined condition part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1] with part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1] in find at 989 - - Replaced defined condition part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1] with part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1] in find at 965 - - Replaced defined condition part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26] with part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26] in find at 887 - - Replaced defined condition part2_7[ri, i'_1], part1_7[ri, i'_1], part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1] with part2_7[ri, i'_1], part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1] in find at 863 - - Replaced defined condition part2_4[ri_37], part1_4[ri_37], part1_4[ri_37], info_6[ri_37] with part2_4[ri_37], part1_4[ri_37], info_6[ri_37] in find at 584 - - Replaced defined condition part2, part1, part1, info_star, enc_star, pk_S, i''_1 with part2, part1, info_star, enc_star, pk_S, i''_1 in find at 377 - - Replaced defined condition part2_1, part1_1, part1_1, info_star, i''_1, u_13 with part2_1, part1_1, info_star, i''_1, u_13 in find at 405 - - Replaced defined condition part2_5[ri_33], part1_5[ri_33], part1_5[ri_33], info_6[ri_33], u_20[ri_33] with part2_5[ri_33], part1_5[ri_33], info_6[ri_33], u_20[ri_33] in find at 405 - - Replaced defined condition part2_3[ri_16], part1_3[ri_16], part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16] with part2_3[ri_16], part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16] in find at 377 - - Replaced defined condition part2_2, part1_2, part1_2, info_star, i'_1, u_4 with part2_2, part1_2, info_star, i'_1, u_4 in find at 195 - - Replaced defined condition part2_6[ri_39], part1_6[ri_39], part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39] with part2_6[ri_39], part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39] in find at 195 - - Replaced defined condition part2_7[ri_2, ri_3], part1_7[ri_2, ri_3], part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] with part2_7[ri_2, ri_3], part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] in find at 160 -yields - -Game 47 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - ct_8: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part2_7[ri_2, ri_3], part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_7[u_6, u_7], part2_7[u_6, u_7]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_6[u_35], part2_6[u_35]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_2, part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_2, part2_2) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_6, part2_6) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_3[u_20], part2_3[u_20]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_5[u_31], part2_5[u_31]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2_1, part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_5, part2_5) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part2, part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1, part2) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_3, part2_3) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part2_7[ri, i'_1], part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_7[u_4, i'_1], part2_7[u_4, i'_1]) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_6[u_27, u_28], part2_6[u_27, u_28]) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_2, part2_2) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_3[u_13, i''_1], part2_3[u_13, i''_1]) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_5[u_25, i''_1], part2_5[u_25, i''_1]) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_1, part2_1) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1, part2) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence int_ctxt(Seal_inner) with part1, part1_1, part1_5, part1_3, part1_2, part1_6, part1_7 [probability Adv_ctxt(time(context for game 47) + time, #Oaenc + 3 + 3 * #Oadec, 1 + #Oadec + 3 * Qdperuser)] - - Equivalence int_ctxt(Seal_inner) with variables: part2_2 -> n, part2_6 -> n, part2 -> n, part2_1 -> n, part2_5 -> n, part2_3 -> n, part2_7 -> n, part1_7 -> k_1, part1_6 -> k_1, part1_2 -> k_1, part1_3 -> k_1, part1_5 -> k_1, part1_1 -> k_1, part1 -> k_1 -yields - -Game 48 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - ct_8: bitstring <- (x_8: bitstring <- m; d: bitstring <- aad_8; r_14: bitstring <- Seal_inner(x_8, d, part1_7, part2_7); r_14); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - let injbot(pt_6: bitstring) = (y_7: bitstring <- c; c_d_7: bitstring <- aad_9; if defined(x_8[u_6, u_7], d[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = y_7) && (d[u_6, u_7] = c_d_7) then injbot(x_8[u_6, u_7]) else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - let injbot(pt_6: bitstring) = (y_8: bitstring <- c; c_d_8: bitstring <- aad_9; {328}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - let injbot(pt_6: bitstring) = (y_9: bitstring <- c; c_d_9: bitstring <- aad_9; {369}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - let injbot(pt_6: bitstring) = (y_6: bitstring <- c; c_d_6: bitstring <- aad_9; {395}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - let injbot(pt_6: bitstring) = (y_2: bitstring <- c; c_d_2: bitstring <- aad_9; {453}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - let injbot(pt_6: bitstring) = (y_3: bitstring <- c; c_d_3: bitstring <- aad_9; {498}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - let injbot(pt_6: bitstring) = (y_4: bitstring <- c; c_d_4: bitstring <- aad_9; {537}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - let injbot(pt_6: bitstring) = (y_1: bitstring <- c; c_d_1: bitstring <- aad_9; {563}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - let injbot(pt_6: bitstring) = (y_5: bitstring <- c; c_d_5: bitstring <- aad_9; {652}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - let injbot(pt_6: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_9; {727}find else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - let injbot(pt_7: bitstring) = (y_15: bitstring <- ciph_star; c_d_15: bitstring <- aad_star; if defined(x_8[u_4, i'_1], d[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = y_15) && (d[u_4, i'_1] = c_d_15) then injbot(x_8[u_4, i'_1]) else bottom) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - let injbot(pt_7: bitstring) = (y_16: bitstring <- ciph_star; c_d_16: bitstring <- aad_star; {957}find else bottom) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - let injbot(pt_7: bitstring) = (y_14: bitstring <- ciph_star; c_d_14: bitstring <- aad_star; {971}find else bottom) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - let injbot(pt_7: bitstring) = (y_12: bitstring <- ciph_star; c_d_12: bitstring <- aad_star; {1009}find else bottom) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - let injbot(pt_7: bitstring) = (y_13: bitstring <- ciph_star; c_d_13: bitstring <- aad_star; {1038}find else bottom) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = (y_11: bitstring <- ciph_star; c_d_11: bitstring <- aad_star; {1052}find else bottom) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - let injbot(pt_7: bitstring) = (y_10: bitstring <- ciph_star; c_d_10: bitstring <- aad_star; {1073}find else bottom) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify (non-expanded game) - - Simplification pass - - Find at 328 removed (else branch kept if any) - - Find at 369 removed (else branch kept if any) - - Find at 395 removed (else branch kept if any) - - Find at 453 removed (else branch kept if any) - - Find at 498 removed (else branch kept if any) - - Find at 537 removed (else branch kept if any) - - Find at 563 removed (else branch kept if any) - - Find at 652 removed (else branch kept if any) - - Find at 727 removed (else branch kept if any) - - Find at 957 removed (else branch kept if any) - - Find at 971 removed (else branch kept if any) - - Find at 1009 removed (else branch kept if any) - - Find at 1038 removed (else branch kept if any) - - Find at 1052 removed (else branch kept if any) - - Find at 1073 removed (else branch kept if any) -yields - -Game 49 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - ct_8: bitstring <- (x_8: bitstring <- m; d: bitstring <- aad_8; r_14: bitstring <- Seal_inner(x_8, d, part1_7, part2_7); r_14); - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - {215} let injbot(pt_6: bitstring) = (y_7: bitstring <- c; c_d_7: bitstring <- aad_9; if defined(x_8[u_6, u_7], d[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = y_7) && (d[u_6, u_7] = c_d_7) then injbot(x_8[u_6, u_7]) else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - {319} let injbot(pt_6: bitstring) = (y_8: bitstring <- c; c_d_8: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - {359} let injbot(pt_6: bitstring) = (y_9: bitstring <- c; c_d_9: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - {384} let injbot(pt_6: bitstring) = (y_6: bitstring <- c; c_d_6: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - {441} let injbot(pt_6: bitstring) = (y_2: bitstring <- c; c_d_2: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - {485} let injbot(pt_6: bitstring) = (y_3: bitstring <- c; c_d_3: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - {523} let injbot(pt_6: bitstring) = (y_4: bitstring <- c; c_d_4: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - {548} let injbot(pt_6: bitstring) = (y_1: bitstring <- c; c_d_1: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - {636} let injbot(pt_6: bitstring) = (y_5: bitstring <- c; c_d_5: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - {710} let injbot(pt_6: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_9; bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - {885} let injbot(pt_7: bitstring) = (y_15: bitstring <- ciph_star; c_d_15: bitstring <- aad_star; if defined(x_8[u_4, i'_1], d[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = y_15) && (d[u_4, i'_1] = c_d_15) then injbot(x_8[u_4, i'_1]) else bottom) in - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - {943} let injbot(pt_7: bitstring) = (y_16: bitstring <- ciph_star; c_d_16: bitstring <- aad_star; bottom) in - event_abort adv_wins - else - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - {956} let injbot(pt_7: bitstring) = (y_14: bitstring <- ciph_star; c_d_14: bitstring <- aad_star; bottom) in - event_abort adv_wins - else - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - {993} let injbot(pt_7: bitstring) = (y_12: bitstring <- ciph_star; c_d_12: bitstring <- aad_star; bottom) in - event_abort adv_wins - else - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then -{1021} let injbot(pt_7: bitstring) = (y_13: bitstring <- ciph_star; c_d_13: bitstring <- aad_star; bottom) in - event_abort adv_wins - else - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; -{1034} let injbot(pt_7: bitstring) = (y_11: bitstring <- ciph_star; c_d_11: bitstring <- aad_star; bottom) in - event_abort adv_wins - else - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; -{1054} let injbot(pt_7: bitstring) = (y_10: bitstring <- ciph_star; c_d_10: bitstring <- aad_star; bottom) in - event_abort adv_wins - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand [probability N * N * P_pk_coll] - - Expand if/find/let - - Remove let at 1054 - - Remove let at 1034 - - Remove let at 1021 - - Remove let at 993 - - Remove let at 956 - - Remove let at 943 - - Remove let at 885 - - Simplify pattern injbot(pt_7: bitstring) (tuple expanded) at 885 - - Remove else branch of let at 885 - - Remove let at 710 - - Remove let at 636 - - Remove let at 548 - - Remove let at 523 - - Remove let at 485 - - Remove let at 441 - - Remove let at 384 - - Remove let at 359 - - Remove let at 319 - - Remove let at 215 - - Simplify pattern injbot(pt_6: bitstring) (tuple expanded) at 215 - - Remove else branch of let at 215 -yields - -Game 50 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - x_8: bitstring <- m; - d: bitstring <- aad_8; - r_14: bitstring <- Seal_inner(x_8, d, part1_7, part2_7); - ct_8: bitstring <- r_14; - return(SealAuth_Some(ce_2, ct_8)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat info_6 = info_5[u_6, u_7] then - y_7: bitstring <- c; - c_d_7: bitstring <- aad_9; - if defined(x_8[u_6, u_7], d[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = y_7) && (d[u_6, u_7] = c_d_7) then - pt_6: bitstring <- x_8[u_6, u_7]; - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - y_8: bitstring <- c; - c_d_8: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - y_9: bitstring <- c; - c_d_9: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - y_6: bitstring <- c; - c_d_6: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - y_2: bitstring <- c; - c_d_2: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - y_3: bitstring <- c; - c_d_3: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - y_4: bitstring <- c; - c_d_4: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - else - part2_5 <-R nonce_t; - part1_5 <-R key_t; - y_1: bitstring <- c; - c_d_1: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - y_5: bitstring <- c; - c_d_5: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part2_3 <-R nonce_t; - part1_3 <-R key_t; - y: bitstring <- c; - c_d: bitstring <- aad_9; - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] suchthat info_star = info_5[u_4, i'_1] then - y_15: bitstring <- ciph_star; - c_d_15: bitstring <- aad_star; - if defined(x_8[u_4, i'_1], d[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = y_15) && (d[u_4, i'_1] = c_d_15) then - pt_7: bitstring <- x_8[u_4, i'_1]; - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - y_16: bitstring <- ciph_star; - c_d_16: bitstring <- aad_star; - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - y_14: bitstring <- ciph_star; - c_d_14: bitstring <- aad_star; - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - y_12: bitstring <- ciph_star; - c_d_12: bitstring <- aad_star; - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - y_13: bitstring <- ciph_star; - c_d_13: bitstring <- aad_star; - return(bottom) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - y_11: bitstring <- ciph_star; - c_d_11: bitstring <- aad_star; - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part2 <-R nonce_t; - part1 <-R key_t; - y_10: bitstring <- ciph_star; - c_d_10: bitstring <- aad_star; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on y_10 (definition removed, all usages removed) - - Remove assignments on c_d_10 (definition removed, all usages removed) - - Remove assignments on y_11 (definition removed, all usages removed) - - Remove assignments on c_d_11 (definition removed, all usages removed) - - Remove assignments on y_12 (definition removed, all usages removed) - - Remove assignments on c_d_12 (definition removed, all usages removed) - - Remove assignments on y_13 (definition removed, all usages removed) - - Remove assignments on c_d_13 (definition removed, all usages removed) - - Remove assignments on y_14 (definition removed, all usages removed) - - Remove assignments on c_d_14 (definition removed, all usages removed) - - Remove assignments on y_15 (definition removed, all usages removed) - - Remove assignments on c_d_15 (definition removed, all usages removed) - - Remove assignments on pt_7 (definition removed, all usages removed) - - Remove assignments on y_16 (definition removed, all usages removed) - - Remove assignments on c_d_16 (definition removed, all usages removed) - - Remove assignments on y (definition removed, all usages removed) - - Remove assignments on c_d (definition removed, all usages removed) - - Remove assignments on y_1 (definition removed, all usages removed) - - Remove assignments on c_d_1 (definition removed, all usages removed) - - Remove assignments on y_2 (definition removed, all usages removed) - - Remove assignments on c_d_2 (definition removed, all usages removed) - - Remove assignments on y_3 (definition removed, all usages removed) - - Remove assignments on c_d_3 (definition removed, all usages removed) - - Remove assignments on y_4 (definition removed, all usages removed) - - Remove assignments on c_d_4 (definition removed, all usages removed) - - Remove assignments on y_5 (definition removed, all usages removed) - - Remove assignments on c_d_5 (definition removed, all usages removed) - - Remove assignments on y_6 (definition removed, all usages removed) - - Remove assignments on c_d_6 (definition removed, all usages removed) - - Remove assignments on y_7 (definition removed, all usages removed) - - Remove assignments on c_d_7 (definition removed, all usages removed) - - Remove assignments on pt_6 (definition removed, all usages removed) - - Remove assignments on y_8 (definition removed, all usages removed) - - Remove assignments on c_d_8 (definition removed, all usages removed) - - Remove assignments on y_9 (definition removed, all usages removed) - - Remove assignments on c_d_9 (definition removed, all usages removed) - - Remove assignments on x_8 (definition removed, all usages removed) - - Remove assignments on d (definition removed, all usages removed) - - Remove assignments on ct_8 (definition kept, array references kept) -yields - -Game 51 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - r_14: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); - ct_8: bitstring <- r_14; - return(SealAuth_Some(ce_2, r_14)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - {196} find [unique] suchthat info_6 = info_5[u_6, u_7] then - {208} if defined(m[u_6, u_7], aad_8[u_6, u_7], part1_7[u_6, u_7], part1_7[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = c) && (aad_8[u_6, u_7] = aad_9) then - return(OpenAuth_Some(Context_Open_Some(m[u_6, u_7]))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - return(OpenAuth_Some(Context_Open_None)) - else - part2_6 <-R nonce_t; - part1_6 <-R key_t; - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - return(OpenAuth_Some(Context_Open_None)) - else - {429} part2_5 <-R nonce_t; - {430} part1_5 <-R key_t; - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - {555} part2_3 <-R nonce_t; - {556} part1_3 <-R key_t; - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - {708} find [unique] suchthat info_star = info_5[u_4, i'_1] then - {714} if defined(m[u_4, i'_1], aad_8[u_4, i'_1], part1_7[u_4, i'_1], part1_7[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = ciph_star) && (aad_8[u_4, i'_1] = aad_star) then - event_abort adv_wins - else - return(bottom) - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - return(bottom) - else - part2_2 <-R nonce_t; - part1_2 <-R key_t; - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - return(bottom) - else - {827} part2_1 <-R nonce_t; - {828} part1_1 <-R key_t; - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - {840} part2 <-R nonce_t; - {841} part1 <-R key_t; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N * N * P_pk_coll] - - Simplification pass - - Transform unused random number generation at 841 into constant assignment - - Remove random number generation at 840 - - Transform unused random number generation at 828 into constant assignment - - Remove random number generation at 827 - - Simplified find at 714 in branch of find at 708 - - Transform unused random number generation at 556 into constant assignment - - Remove random number generation at 555 - - Transform unused random number generation at 430 into constant assignment - - Remove random number generation at 429 - - Simplified find at 208 in branch of find at 196 -yields - -Game 52 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - r_14: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); - ct_8: bitstring <- r_14; - return(SealAuth_Some(ce_2, r_14)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - {165} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - {196} find [unique] suchthat defined(m[u_6, u_7], aad_8[u_6, u_7], part1_7[u_6, u_7], part1_7[u_6, u_7], r_14[u_6, u_7]) && (info_6 = info_5[u_6, u_7]) && (r_14[u_6, u_7] = c) && (aad_8[u_6, u_7] = aad_9) then - return(OpenAuth_Some(Context_Open_Some(m[u_6, u_7]))) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - return(OpenAuth_Some(Context_Open_None)) - else - {332} if info_6 = info_5[u_6, u_7] then - return(OpenAuth_Some(Context_Open_None)) - else - {349} part2_6 <-R nonce_t; - {350} part1_6 <-R key_t; - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - return(OpenAuth_Some(Context_Open_None)) - else - part1_5: key_t <- cst_key_t; - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part1_3: key_t <- cst_key_t; - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - {722} find [unique] suchthat defined(m[u_4, i'_1], aad_8[u_4, i'_1], part1_7[u_4, i'_1], part1_7[u_4, i'_1], r_14[u_4, i'_1]) && {733}((info_star = info_5[u_4, i'_1]) && (r_14[u_4, i'_1] = ciph_star) && (aad_8[u_4, i'_1] = aad_star)) then - event_abort adv_wins - orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - return(bottom) - else - {780} if info_star = info_5[u_4, i'_1] then - return(bottom) - else - {790} part2_2 <-R nonce_t; - {791} part1_2 <-R key_t; - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - return(bottom) - else - part1_1: key_t <- cst_key_t; - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part1: key_t <- cst_key_t; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N * N * P_pk_coll] - - Simplification pass - - Transformed find at 780 into a test - - Transform unused random number generation at 791 into constant assignment - - Remove random number generation at 790 - - Replaced ((info_star = info_5[u_4, i'_1]) && (r_14[u_4, i'_1] = ciph_star) && (aad_8[u_4, i'_1] = aad_star)) with false at 733 - - Remove branch 1 in find at 722 - - Transformed find at 332 into a test - - Transform unused random number generation at 350 into constant assignment - - Remove random number generation at 349 - - Replaced defined condition m[u_6, u_7], aad_8[u_6, u_7], part1_7[u_6, u_7], part1_7[u_6, u_7], r_14[u_6, u_7] with an empty condition in find at 196 - - Replaced defined condition part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] with m[ri_2, ri_3], aad_8[ri_2, ri_3], r_14[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] in find at 165 -yields - -Game 53 is - (( - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := - find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then - k_3 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); - enc_4: kemciph_t <- ce_2; - part2_7 <-R nonce_t; - part1_7 <-R key_t; - r_14: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); - ct_8: bitstring <- r_14; - return(SealAuth_Some(ce_2, r_14)) - else - k_2 <-R kemseed_t; - sk_1: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); - k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); - enc_4: kemciph_t <- ce_1; - r_3: keys_t <- KeySchedule_auth(k_5, info_5); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); - return(SealAuth_Some(ce_1, ct_8)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(m[ri_2, ri_3], aad_8[ri_2, ri_3], r_14[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then - find [unique] suchthat (info_6 = info_5[u_6, u_7]) && (r_14[u_6, u_7] = c) && (aad_8[u_6, u_7] = aad_9) then - return(OpenAuth_Some(Context_Open_Some(m[u_6, u_7]))) - orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then - return(OpenAuth_Some(Context_Open_None)) - else - if info_6 = info_5[u_6, u_7] then - return(OpenAuth_Some(Context_Open_None)) - else - part1_6: key_t <- cst_key_t; - return(OpenAuth_Some(Context_Open_None)) - else - find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then - find [unique] suchthat info_6 = info_6[u_20] then - return(OpenAuth_Some(Context_Open_None)) - orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then - return(OpenAuth_Some(Context_Open_None)) - else - part1_5: key_t <- cst_key_t; - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then - find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_6 = info_star then - return(OpenAuth_Some(Context_Open_None)) - else - part2_4 <-R nonce_t; - part1_4 <-R key_t; - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then - let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - part1_3: key_t <- cst_key_t; - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_6))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - )) - ) | ( - Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := - find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], s[i']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then - find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then - return(bottom) - else - find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then - find [unique] u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then - return(bottom) - else - if info_star = info_5[u_4, i'_1] then - return(bottom) - else - part1_2: key_t <- cst_key_t; - return(bottom) - else - find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then - find [unique] suchthat info_star = info_6[u_13, i''_1] then - return(bottom) - orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then - return(bottom) - else - part1_1: key_t <- cst_key_t; - return(bottom) - else - let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in - part1: key_t <- cst_key_t; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Proved event(adv_wins) ==> false in game 53 -Adv[Game 1: event(adv_wins) ==> false] <= Adv_ctxt(time_1, #Oaenc + 3 + 3 * #Oadec, 1 + #Oadec + 3 * Qdperuser) + Adv_PRF_KeySchedule(time_2, #Oaenc + 1 + #Oadec, 1 + #Oaenc + Qdperuser + #Oadec) + (#Oaenc * N + 13 * N * N) * P_pk_coll + Adv_Outsider_Auth(time_3, N, #Oaenc, 1 + #Oadec) + Adv_Outsider_CCA(time_4, N, #Oaenc, 1 + #Oadec) + Adv[Game 53: event(adv_wins) ==> false] -Adv[Game 53: event(adv_wins) ==> false] <= 0 -RESULT Proved event(adv_wins) ==> false up to probability Adv_ctxt(time_1, #Oaenc + 3 + 3 * #Oadec, 1 + #Oadec + 3 * Qdperuser) + Adv_PRF_KeySchedule(time_2, #Oaenc + 1 + #Oadec, 1 + #Oaenc + Qdperuser + #Oadec) + (#Oaenc * N + 13 * N * N) * P_pk_coll + Adv_Outsider_Auth(time_3, N, #Oaenc, 1 + #Oadec) + Adv_Outsider_CCA(time_4, N, #Oaenc, 1 + #Oadec) -RESULT time_1 = time(context for game 47) + time -RESULT time_2 = time(context for game 29) + time -RESULT time_3 = time(context for game 17) + time -RESULT time_4 = time(context for game 10) + time -RESULT time(context for game 10) = #Oaenc * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 10: info_5)) + (#Oaenc + #Oadec + 1) * time(get2) + (#Oaenc + #Oadec + 1) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 10: m), maxlength(game 10: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 10: ct_8)) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 10: info_6)) + #Oadec * time(Open_inner, maxlength(game 10: c), maxlength(game 10: aad_9)) + #Oadec * time(let injbot, maxlength(game 10: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 10: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 10: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 10: ct_8), maxlength(game 10: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 10: aad_8), maxlength(game 10: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 10: info_5), maxlength(game 10: info_star)) + time(KeySchedule_auth, maxlength(game 10: info_star)) + time(Open_inner, maxlength(game 10: ciph_star), maxlength(game 10: aad_star)) + time(let injbot, maxlength(game 10: pt_7)) -RESULT time(context for game 17) = 2 * #Oaenc * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 17: info_5)) + (#Oaenc + #Oadec + 1) * time(get2) + (#Oaenc + #Oadec + 1) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 17: m), maxlength(game 17: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 17: ct_8)) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 17: info_6)) + #Oadec * time(Open_inner, maxlength(game 17: c), maxlength(game 17: aad_9)) + #Oadec * time(let injbot, maxlength(game 17: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 17: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 17: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 17: ct_8), maxlength(game 17: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 17: aad_8), maxlength(game 17: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 17: info_5), maxlength(game 17: info_star)) + time(KeySchedule_auth, maxlength(game 17: info_star)) + time(Open_inner, maxlength(game 17: ciph_star), maxlength(game 17: aad_star)) + time(let injbot, maxlength(game 17: pt_7)) -RESULT time(context for game 29) = (N + #Oaenc * N + #Oadec * #Oaenc + #Oadec * N + 2 * N * N) * time(pkgen) + (#Oaenc + #Oadec + 1) * time(skgen) + #Oaenc * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 29: info_5)) + (#Oaenc + #Oadec + 1) * time(get2) + (#Oaenc + #Oadec + 1) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 29: m), maxlength(game 29: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 29: ct_8)) + (#Oadec + 1) * time(AuthDecap) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 29: info_6)) + #Oadec * time(Open_inner, maxlength(game 29: c), maxlength(game 29: aad_9)) + #Oadec * time(let injbot, maxlength(game 29: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 29: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 29: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 29: ct_8), maxlength(game 29: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 29: aad_8), maxlength(game 29: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 29: info_5), maxlength(game 29: info_star)) + time(Open_inner, maxlength(game 29: ciph_star), maxlength(game 29: aad_star)) + time(let injbot, maxlength(game 29: pt_7)) -RESULT time(context for game 47) = (N + #Oaenc * N + #Oadec * #Oaenc + #Oadec * N + 2 * N * N) * time(pkgen) + (#Oaenc + #Oadec + 1) * time(skgen) + #Oaenc * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 47: info_5)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 47: m), maxlength(game 47: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 47: ct_8)) + #Oadec * time(= bitstring, maxlength(game 47: info_6), maxlength(game 47: info_5)) + (#Oadec + #Oadec * Qdperuser) * time(= bitstring, maxlength(game 47: info_6), maxlength(game 47: info_6)) + #Oadec * time(= bitstring, maxlength(game 47: info_6), maxlength(game 47: info_star)) + (#Oadec + 1) * time(AuthDecap) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 47: info_6)) + #Oadec * time(Open_inner, maxlength(game 47: c), maxlength(game 47: aad_9)) + #Oadec * time(let injbot, maxlength(game 47: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 47: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 47: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 47: ct_8), maxlength(game 47: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 47: aad_8), maxlength(game 47: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 47: info_5), maxlength(game 47: info_star)) + time(= bitstring, maxlength(game 47: info_star), maxlength(game 47: info_5)) + (#Oadec + 1 + Qdperuser) * time(= bitstring, maxlength(game 47: info_star), maxlength(game 47: info_6)) + time(let injbot, maxlength(game 47: pt_7)) -All queries proved. +Initial state +Game 1 is + (( + foreach i <= N do + Osetup() := + let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + let SealAuth_Some(enc_6: kemciph_t, ct_10: bitstring) = (let SetupAuthS_Some(enc_5: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_1: pkey_t <- pk_2; sk: skey_t <- the_sk; k <-R kemseed_t; AuthEncap_r(k, pk_1, sk)) in let KeySchedule_Some(ctx_6: context_t) = (let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_4, ctx_6) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_9: bitstring) = (let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_8: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_8, key_7, nonce_8)); Context_Seal_Some(ct_8) else Context_Seal_None) in SealAuth_Some(enc_5, ct_9) else SealAuth_None else SealAuth_None) in + insert E(the_pk, pk_2, enc_6, ct_10, aad_8, info_5); + return(SealAuth_Some(enc_6, ct_10)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + return((let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in let KeySchedule_Some(ctx_8: context_t) = (let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_6: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_9, key_9, nonce_11)) in Context_Open_Some(pt_6) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_pk[i'], the_pk[i''], the_sk[i'], the_sk[i'']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + get E(=pk_S, =pk_R, =enc_star, =ciph_star, =aad_star, =info_star) in + return(bottom) + else + let OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) = (skR_2: skey_t <- the_sk[i''_1]; let SetupAuthR_Some(ctx_11: context_t) = (let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skR_2, pk_S) in let KeySchedule_Some(ctx_10: context_t) = (let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_10) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in let injbot(pt_7: bitstring) = (nonce_14: nonce_t <- xor(nonce_13, seq_5); Open_inner(ciph_star, aad_star, key_11, nonce_14)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + )) + + +Applying expand get, insert and prove unique annotations + - Expand get/insert for table E +yields + +Game 2 is + (( + foreach i <= N do + Osetup() := + {5} let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + {23} let SealAuth_Some(enc_6: kemciph_t, ct_10: bitstring) = {24}(let SetupAuthS_Some(enc_5: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_1: pkey_t <- pk_2; sk: skey_t <- the_sk; k <-R kemseed_t; AuthEncap_r(k, pk_1, sk)) in {44}let KeySchedule_Some(ctx_6: context_t) = {45}(let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_4, ctx_6) else SetupAuthS_None else SetupAuthS_None) in {82}let Context_Seal_Some(ct_9: bitstring) = {83}(let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_8: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_8, key_7, nonce_8)); Context_Seal_Some(ct_8) else Context_Seal_None) in SealAuth_Some(enc_5, ct_9) else SealAuth_None else SealAuth_None) in + E_1: pkey_t <- the_pk; + E_2: pkey_t <- pk_2; + E_3: kemciph_t <- enc_6; + E_4: bitstring <- ct_10; + E_5: bitstring <- aad_8; + E_6: bitstring <- info_5; + return(SealAuth_Some(enc_6, ct_10)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + return({172}(let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in {183}let KeySchedule_Some(ctx_8: context_t) = {184}(let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({219}(let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_6: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_9, key_9, nonce_11)) in Context_Open_Some(pt_6) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + {255} find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_pk[i'], the_pk[i''], the_sk[i'], the_sk[i'']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_S) && (E_2[u_2, u_3] = pk_R) && (E_3[u_2, u_3] = enc_star) && (E_4[u_2, u_3] = ciph_star) && (E_5[u_2, u_3] = aad_star) && (E_6[u_2, u_3] = info_star) then + return(bottom) + else + {321} let OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) = (skR_2: skey_t <- the_sk[i''_1]; {325}let SetupAuthR_Some(ctx_11: context_t) = (let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skR_2, pk_S) in {331}let KeySchedule_Some(ctx_10: context_t) = {332}(let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_10) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({353}(let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in let injbot(pt_7: bitstring) = (nonce_14: nonce_t <- xor(nonce_13, seq_5); Open_inner(ciph_star, aad_star, key_11, nonce_14)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Remove let at 321 + - Remove let at 325 + - Remove let at 321 + - Simplify pattern concat(key_10: key_t, nonce_12: nonce_t) (tuple expanded) at 332 + - Remove else branch of let at 332 + - Simplify pattern KeySchedule_Some(ctx_10: context_t) (tuple expanded) at 331 + - Remove else branch of let at 331 + - Simplify pattern SetupAuthR_Some(ctx_11: context_t) (tuple expanded) at 325 + - Remove else branch of let at 325 + - Simplify pattern Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) (tuple expanded) at 353 + - Remove else branch of let at 353 + - Simplify pattern OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) (tuple expanded) at 321 + - Remove let at 321 + - Simplify pattern Context_Open_Some(pt_8: bitstring) (tuple expanded), pattern OpenAuth_Some(Context_Open_Some(pt_8: bitstring)) (tuple expanded) at 321 + - Remove else branch of let at 321 + - Replaced defined condition the_pk[i'], the_pk[i''], the_sk[i'], the_sk[i''] with the_sk[i''], the_pk[i''], the_pk[i'] in find at 255 + - Simplify pattern (the_sk: skey_t, the_pk: pkey_t) (tuple expanded) at 5 + - Remove let at 172 + - Simplify pattern concat(key_8: key_t, nonce_9: nonce_t) (tuple expanded) at 184 + - Remove else branch of let at 184 + - Simplify pattern KeySchedule_Some(ctx_8: context_t) (tuple expanded) at 183 + - Remove else branch of let at 183 + - Simplify pattern SetupAuthR_Some(ctx_9: context_t) (tuple expanded) at 172 + - Remove else branch of let at 172 + - Simplify pattern Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) (tuple expanded) at 219 + - Remove else branch of let at 219 + - Remove let at 23 + - Remove let at 24 + - Remove let at 23 + - Simplify pattern concat(key_6: key_t, nonce_6: nonce_t) (tuple expanded) at 45 + - Remove else branch of let at 45 + - Simplify pattern KeySchedule_Some(ctx_6: context_t) (tuple expanded) at 44 + - Remove else branch of let at 44 + - Simplify pattern SetupAuthS_Some(enc_5: kemciph_t, ctx_7: context_t) (tuple expanded) at 24 + - Remove else branch of let at 24 + - Simplify pattern Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) (tuple expanded) at 83 + - Remove else branch of let at 83 + - Simplify pattern Context_Seal_Some(ct_9: bitstring) (tuple expanded) at 82 + - Remove else branch of let at 82 + - Simplify pattern SealAuth_Some(enc_6: kemciph_t, ct_10: bitstring) (tuple expanded) at 23 + - Remove else branch of let at 23 +yields + +Game 3 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + pk_1: pkey_t <- pk_2; + sk: skey_t <- the_sk; + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_1, sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ctx_6: context_t <- Context(key_6, nonce_6, nonce_zero); + ctx_7: context_t <- ctx_6; + enc_5: kemciph_t <- enc_4; + seq_3: nonce_t <- nonce_zero; + nonce_7: nonce_t <- nonce_6; + key_7: key_t <- key_6; + nonce_8: nonce_t <- xor(nonce_7, seq_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_7, nonce_8); + ct_9: bitstring <- ct_8; + ct_10: bitstring <- ct_9; + enc_6: kemciph_t <- enc_5; + E_1: pkey_t <- the_pk; + E_2: pkey_t <- pk_2; + E_3: kemciph_t <- enc_6; + E_4: bitstring <- ct_10; + E_5: bitstring <- aad_8; + E_6: bitstring <- info_5; + return(SealAuth_Some(enc_6, ct_10)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + ctx_8: context_t <- Context(key_8, nonce_9, nonce_zero); + ctx_9: context_t <- ctx_8; + seq_4: nonce_t <- nonce_zero; + nonce_10: nonce_t <- nonce_9; + key_9: key_t <- key_8; + nonce_11: nonce_t <- xor(nonce_10, seq_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_9, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_S) && (E_2[u_2, u_3] = pk_R) && (E_3[u_2, u_3] = enc_star) && (E_4[u_2, u_3] = ciph_star) && (E_5[u_2, u_3] = aad_star) && (E_6[u_2, u_3] = info_star) then + return(bottom) + else + skR_2: skey_t <- the_sk[i''_1]; + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skR_2, pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + ctx_10: context_t <- Context(key_10, nonce_12, nonce_zero); + ctx_11: context_t <- ctx_10; + seq_5: nonce_t <- nonce_zero; + nonce_13: nonce_t <- nonce_12; + key_11: key_t <- key_10; + nonce_14: nonce_t <- xor(nonce_13, seq_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_11, nonce_14) in + pt_8: bitstring <- pt_7; + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on skR_2 (definition removed, all usages removed) + - Remove assignments on ctx_11 (definition removed, all usages removed) + - Remove assignments on nonce_13 (definition removed, all usages removed) + - Remove assignments on key_11 (definition removed, all usages removed) + - Remove assignments on pt_8 (definition removed, all usages removed) + - Remove assignments on ctx_9 (definition removed, all usages removed) + - Remove assignments on nonce_10 (definition removed, all usages removed) + - Remove assignments on key_9 (definition removed, all usages removed) + - Remove assignments on pk_1 (definition removed, all usages removed) + - Remove assignments on sk (definition removed, all usages removed) + - Remove assignments on ctx_7 (definition removed, all usages removed) + - Remove assignments on enc_5 (definition removed, all usages removed) + - Remove assignments on nonce_7 (definition removed, all usages removed) + - Remove assignments on key_7 (definition removed, all usages removed) + - Remove assignments on ct_9 (definition removed, all usages removed) + - Remove assignments on ct_10 (definition removed, all usages removed) + - Remove assignments on enc_6 (definition removed, all usages removed) + - Remove assignments on E_1 (definition removed, all usages removed) + - Remove assignments on E_2 (definition removed, all usages removed) + - Remove assignments on E_3 (definition removed, all usages removed) + - Remove assignments on E_4 (definition removed, all usages removed) + - Remove assignments on E_5 (definition removed, all usages removed) + - Remove assignments on E_6 (definition removed, all usages removed) + - Remove assignments on ctx_10 (definition removed, all usages removed) + - Remove assignments on ctx_8 (definition removed, all usages removed) + - Remove assignments on ctx_6 (definition removed, all usages removed) +yields + +Game 4 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- {55}xor(nonce_6, seq_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- {131}xor(nonce_9, seq_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + {190} find u = u_2 <= Qeperuser, u_1 = u_3 <= N suchthat defined(the_pk[u_3], pk_2[u_2, u_3], enc_4[u_2, u_3], aad_8[u_2, u_3], info_5[u_2, u_3], ct_8[u_2, u_3]) && {202}((the_pk[u_3] = pk_S) && (pk_2[u_2, u_3] = pk_R) && (enc_4[u_2, u_3] = enc_star) && (ct_8[u_2, u_3] = ciph_star) && (aad_8[u_2, u_3] = aad_star) && (info_5[u_2, u_3] = info_star)) then + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- {259}xor(nonce_12, seq_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced xor(nonce_12, seq_5) with nonce_12 at 259 + - Replaced ((the_pk[u_3] = pk_S) && (pk_2[u_2, u_3] = pk_R) && (enc_4[u_2, u_3] = enc_star) && (ct_8[u_2, u_3] = ciph_star) && (aad_8[u_2, u_3] = aad_star) && (info_5[u_2, u_3] = info_star)) with ((u_3 = i'_1) && (pk_2[u_2, u_3] = pk_R) && (enc_4[u_2, u_3] = enc_star) && (ct_8[u_2, u_3] = ciph_star) && (aad_8[u_2, u_3] = aad_star) && (info_5[u_2, u_3] = info_star)) at 202 + - In branch 1 of find at 190, substituting u_1 with i'_1 + - Replaced defined condition the_pk[u_3], pk_2[u_2, u_3], enc_4[u_2, u_3], aad_8[u_2, u_3], info_5[u_2, u_3], ct_8[u_2, u_3] with info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1] in find at 190 + - Replaced xor(nonce_9, seq_4) with nonce_9 at 131 + - Replaced xor(nonce_6, seq_3) with nonce_6 at 55 +yields + +Game 5 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- nonce_9; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && {193}((i'_1 = i'_1) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star)) then + u_1 <= N <- i'_1; + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced ((i'_1 = i'_1) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star)) with ((pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star)) at 193 +yields + +Game 6 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- nonce_9; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + u_1 <= N <- i'_1; + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to seq_5 + - Move assignment to seq_4 +yields + +Game 7 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_8); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + nonce_11: nonce_t <- nonce_9; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + u_1 <= N <- i'_1; + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + nonce_14: nonce_t <- nonce_12; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_14) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on nonce_14 (definition removed, all usages removed) + - Remove assignments on u_1 (definition removed, all usages removed) + - Remove assignments on nonce_11 (definition removed, all usages removed) + - Remove assignments on seq_3 (definition removed, all usages removed) + - Remove assignments on nonce_8 (definition removed, all usages removed) +yields + +Game 8 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(the_sk[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, the_sk[i''_1], pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of binder the_sk + - Remove assignments on the_sk (definition removed, all usages removed) +yields + +Game 9 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i''], the_pk[i''], the_pk[i']) && (the_pk[i'] = pk_S) && (the_pk[i''] = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of binder the_pk + - Remove assignments on the_pk (definition removed, all usages removed) +yields + +Game 10 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence outsider_cca(AuthEncap) with variables: s -> s_1 [probability Adv_Outsider_CCA(time_1, N, #Oaenc, 1 + #Oadec)] + - Equivalence outsider_cca(AuthEncap) with variables: k -> ks, s -> s_1 +yields + +Game 11 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + k'_1 <-R kemkey_t; + {18} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_R_1: pkey_t <- pk_2; find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_R_1 = pkgen(s[ri_4])) then let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_R_1, skgen(s)) in k': kemkey_t <- cst_kemkey_t; AuthEncap_tuple(k'_1, ce) else AuthEncap_None else AuthEncap_r(k, pk_R_1, skgen(s))) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + {117} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S_1: pkey_t <- pk_3; cd: kemciph_t <- enc_7; find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], s[ri_3], pk_R_1[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3]) && (pkgen(s) = pk_R_1[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_S_1) && (ce[ri_2, ri_3] = cd) then AuthDecap_Some(k'_1[u_6, u_7]) else AuthDecap(cd, skgen(s), pk_S_1)) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + {288} let AuthDecap_Some(shared_secret_5: kemkey_t) = (pk_S_2: pkey_t <- pk_S; cd_1: kemciph_t <- enc_star; find u_4 = ri <= Qeperuser, u_5 = ri_1 <= N suchthat defined(k'[ri, ri_1], s[ri_1], pk_R_1[ri, ri_1], k'_1[ri, ri_1], ce[ri, ri_1]) && (pkgen(s[i''_1]) = pk_R_1[ri, ri_1]) && (pkgen(s[ri_1]) = pk_S_2) && (ce[ri, ri_1] = cd_1) then AuthDecap_Some(k'_1[u_4, u_5]) else AuthDecap(cd_1, skgen(s[i''_1]), pk_S_2)) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand [probability N^2 * P_pk_coll] + - Expand if/find/let + - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 288 + - Remove else branch of let at 288 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 117 + - Remove else branch of let at 117 + - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) (tuple expanded) at 18 + - Remove else branch of let at 18 +yields + +Game 12 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + k'_1 <-R kemkey_t; + pk_R_1: pkey_t <- pk_2; + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_R_1 = pkgen(s[ri_4])) then + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_R_1, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + enc_4: kemciph_t <- ce; + shared_secret_3: kemkey_t <- k'_1; + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_R_1, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + pk_S_1: pkey_t <- pk_3; + cd: kemciph_t <- enc_7; + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], s[ri_3], pk_R_1[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3]) && (pkgen(s) = pk_R_1[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_S_1) && (ce[ri_2, ri_3] = cd) then + shared_secret_4: kemkey_t <- k'_1[u_6, u_7]; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd, skgen(s), pk_S_1) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + pk_S_2: pkey_t <- pk_S; + cd_1: kemciph_t <- enc_star; + find u_4 = ri <= Qeperuser, u_5 = ri_1 <= N suchthat defined(k'[ri, ri_1], s[ri_1], pk_R_1[ri, ri_1], k'_1[ri, ri_1], ce[ri, ri_1]) && (pkgen(s[i''_1]) = pk_R_1[ri, ri_1]) && (pkgen(s[ri_1]) = pk_S_2) && (ce[ri, ri_1] = cd_1) then + shared_secret_5: kemkey_t <- k'_1[u_4, u_5]; + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(cd_1, skgen(s[i''_1]), pk_S_2) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on pk_S_2 (definition removed, all usages removed) + - Remove assignments on cd_1 (definition removed, all usages removed) + - Remove assignments on shared_secret_5 (definition removed, all usages removed) + - Remove assignments on pk_S_1 (definition removed, all usages removed) + - Remove assignments on cd (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on pk_R_1 (definition removed, all usages removed) + - Remove assignments on shared_secret_3 (definition removed, all usages removed) + - Remove assignments on enc_4 (definition kept, array references kept) +yields + +Game 13 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + k'_1 <-R kemkey_t; + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + enc_4: kemciph_t <- ce; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + {209} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(pk_2[ri_2, ri_3], k'[ri_2, ri_3], s[ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3]) && {219}((pkgen(s) = pk_2[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + {416} find u_4 = ri <= Qeperuser, u_5 = ri_1 <= N suchthat defined(pk_2[ri, ri_1], k'[ri, ri_1], s[ri_1], k'_1[ri, ri_1], ce[ri, ri_1]) && {426}((pkgen(s[i''_1]) = pk_2[ri, ri_1]) && (pkgen(s[ri_1]) = pk_S) && (ce[ri, ri_1] = enc_star)) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, u_5], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced ((pkgen(s[i''_1]) = pk_2[ri, ri_1]) && (pkgen(s[ri_1]) = pk_S) && (ce[ri, ri_1] = enc_star)) with ((i''_1 = u_8[ri, ri_1]) && (ri_1 = i'_1) && (ce[ri, ri_1] = enc_star)) at 426 + - In branch 1 of find at 416, substituting u_5 with i'_1 + - Replaced defined condition pk_2[ri, ri_1], k'[ri, ri_1], s[ri_1], k'_1[ri, ri_1], ce[ri, ri_1] with k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1] in find at 416 + - Replaced ((pkgen(s) = pk_2[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7)) with ((i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7)) at 219 + - Replaced defined condition pk_2[ri_2, ri_3], k'[ri_2, ri_3], s[ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3] with k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] in find at 209 +yields + +Game 14 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + k'_1 <-R kemkey_t; + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + enc_4: kemciph_t <- ce; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && {423}((i''_1 = u_8[ri, i'_1]) && (i'_1 = i'_1) && (ce[ri, i'_1] = enc_star)) then + u_5 <= N <- i'_1; + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced ((i''_1 = u_8[ri, i'_1]) && (i'_1 = i'_1) && (ce[ri, i'_1] = enc_star)) with ((i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star)) at 423 +yields + +Game 15 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + k <-R kemseed_t; + k'_1 <-R kemkey_t; + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + enc_4: kemciph_t <- ce; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(enc_4, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then + u_5 <= N <- i'_1; + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move random number generation k'_1 + - Move random number generation k +yields + +Game 16 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k <-R kemseed_t; + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then + u_5 <= N <- i'_1; + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on u_5 (definition removed, all usages removed) + - Rename variable k into k_3, k_2 +yields + +Game 17 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'[ri_2, ri_3], k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'[ri, i'_1], k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(shared_secret_5: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence outsider_auth(AuthEncap) with variables: s -> s_1 [probability Adv_Outsider_Auth(time_2, N, #Oaenc, 1 + #Oadec)] + - Equivalence outsider_auth(AuthEncap) with variables: k_3 -> ks, k_2 -> ks, s -> s_1 +yields + +Game 18 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + {26} let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = (pk_R_3: pkey_t <- pk_2; let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_R_3, skgen(s)) in AuthEncap_tuple(k_6, ce_2) else AuthEncap_None) in + k': kemkey_t <- cst_kemkey_t; + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + {160} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = (pk_R_2: pkey_t <- pk_2; let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_R_2, skgen(s)) in AuthEncap_tuple(k_5, ce_1) else AuthEncap_None) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + {321} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S_3: pkey_t <- pk_3; cd_2: kemciph_t <- enc_7; {330}find u_20 = ri_16 <= Qdperuser, u_21 = ri_17 <= N suchthat defined(s[ri_17], pk_S_3[ri_16, ri_17], k'_2[ri_16, ri_17], cd_2[ri_16, ri_17]) && (pkgen(s) = pkgen(s[ri_17])) && (pk_S_3[ri_16, ri_17] = pk_S_3) && (cd_2[ri_16, ri_17] = cd_2) then AuthDecap_Some(k'_2[u_20, u_21]) orfind suchthat defined(s[i''_1], pk_S_4, k'_3, cd_3) && (pkgen(s) = pkgen(s[i''_1])) && (pk_S_4 = pk_S_3) && (cd_3 = cd_2) then AuthDecap_Some(k'_3) orfind u_18 = ri_14 <= Qeperuser, u_19 = ri_15 <= N suchthat defined(s[ri_15], pk_R_2[ri_14, ri_15], k_5[ri_14, ri_15], ce_1[ri_14, ri_15]) && (pkgen(s) = pk_R_2[ri_14, ri_15]) && (pkgen(s[ri_15]) = pk_S_3) && (ce_1[ri_14, ri_15] = cd_2) then AuthDecap_Some(k_5[u_18, u_19]) orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(s[ri_13], pk_R_3[ri_12, ri_13], k_6[ri_12, ri_13], ce_2[ri_12, ri_13]) && (pkgen(s) = pk_R_3[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_S_3) && (ce_2[ri_12, ri_13] = cd_2) then AuthDecap_Some(k_6[u_16, u_17]) else find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_S_3 = pkgen(s[ri_18])) then let AuthDecap_Some(k0: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in k'_2 <-R kemkey_t; AuthDecap_Some(k'_2) else AuthDecap_None else AuthDecap(cd_2, skgen(s), pk_S_3)) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + {658} let AuthDecap_Some(shared_secret_5: kemkey_t) = (pk_S_4: pkey_t <- pk_S; cd_3: kemciph_t <- enc_star; {663}find u_13 = ri_9 <= Qdperuser, u_14 = ri_10 <= N suchthat defined(s[ri_10], pk_S_3[ri_9, ri_10], k'_2[ri_9, ri_10], cd_2[ri_9, ri_10]) && (pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_S_3[ri_9, ri_10] = pk_S_4) && (cd_2[ri_9, ri_10] = cd_3) then AuthDecap_Some(k'_2[u_13, u_14]) orfind u_11 = ri_7 <= Qeperuser, u_12 = ri_8 <= N suchthat defined(s[ri_8], pk_R_2[ri_7, ri_8], k_5[ri_7, ri_8], ce_1[ri_7, ri_8]) && (pkgen(s[i''_1]) = pk_R_2[ri_7, ri_8]) && (pkgen(s[ri_8]) = pk_S_4) && (ce_1[ri_7, ri_8] = cd_3) then AuthDecap_Some(k_5[u_11, u_12]) orfind u_9 = ri_5 <= Qeperuser, u_10 = ri_6 <= N suchthat defined(s[ri_6], pk_R_3[ri_5, ri_6], k_6[ri_5, ri_6], ce_2[ri_5, ri_6]) && (pkgen(s[i''_1]) = pk_R_3[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S_4) && (ce_2[ri_5, ri_6] = cd_3) then AuthDecap_Some(k_6[u_9, u_10]) else {754}find u_15 = ri_11 <= N suchthat defined(s[ri_11]) && (pk_S_4 = pkgen(s[ri_11])) then let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4) in k'_3 <-R kemkey_t; AuthDecap_Some(k'_3) else AuthDecap_None else AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4)) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand [probability (#Oaenc * N + N^2) * P_pk_coll] + - Expand if/find/let + - Remove else branch of find at 754 + - Remove let at 658 + - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 658 + - Remove else branch of let at 658 + - A single branch always succeeds in find at 754 + - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 658 + - Remove else branch of let at 658 + - Remove branch 2 in find at 663 + - Simplify pattern AuthDecap_Some(shared_secret_5: kemkey_t) (tuple expanded) at 658 + - Remove else branch of let at 658 + - Remove let at 321 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 321 + - Remove else branch of let at 321 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 321 + - Remove else branch of let at 321 + - Remove branch 3 in find at 330 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 321 + - Remove else branch of let at 321 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 321 + - Remove else branch of let at 321 + - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) (tuple expanded) at 160 + - Remove else branch of let at 160 + - Simplify pattern AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) (tuple expanded) at 26 + - Remove else branch of let at 26 +yields + +Game 19 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + pk_R_3: pkey_t <- pk_2; + let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_R_3, skgen(s)) in + ce: kemciph_t <- ce_2; + k_1: kemkey_t <- k_6; + k': kemkey_t <- cst_kemkey_t; + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + k': kemkey_t <- cst_kemkey_t; + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + pk_R_2: pkey_t <- pk_2; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_R_2, skgen(s)) in + enc_4: kemciph_t <- ce_1; + shared_secret_3: kemkey_t <- k_5; + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + pk_S_3: pkey_t <- pk_3; + cd_2: kemciph_t <- enc_7; + find u_20 = ri_16 <= Qdperuser, u_21 = ri_17 <= N suchthat defined(s[ri_17], pk_S_3[ri_16, ri_17], k'_2[ri_16, ri_17], cd_2[ri_16, ri_17]) && (pkgen(s) = pkgen(s[ri_17])) && (pk_S_3[ri_16, ri_17] = pk_S_3) && (cd_2[ri_16, ri_17] = cd_2) then + shared_secret_4: kemkey_t <- k'_2[u_20, u_21]; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(s[i''_1], pk_S_4, k'_3, cd_3) && (pkgen(s) = pkgen(s[i''_1])) && (pk_S_4 = pk_S_3) && (cd_3 = cd_2) then + shared_secret_4: kemkey_t <- k'_3; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(s[ri_13], pk_R_3[ri_12, ri_13], k_6[ri_12, ri_13], ce_2[ri_12, ri_13]) && (pkgen(s) = pk_R_3[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_S_3) && (ce_2[ri_12, ri_13] = cd_2) then + shared_secret_4: kemkey_t <- k_6[u_16, u_17]; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_S_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in + k'_2 <-R kemkey_t; + shared_secret_4: kemkey_t <- k'_2; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd_2, skgen(s), pk_S_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + pk_S_4: pkey_t <- pk_S; + cd_3: kemciph_t <- enc_star; + find u_13 = ri_9 <= Qdperuser, u_14 = ri_10 <= N suchthat defined(s[ri_10], pk_S_3[ri_9, ri_10], k'_2[ri_9, ri_10], cd_2[ri_9, ri_10]) && (pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_S_3[ri_9, ri_10] = pk_S_4) && (cd_2[ri_9, ri_10] = cd_3) then + shared_secret_5: kemkey_t <- k'_2[u_13, u_14]; + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_9 = ri_5 <= Qeperuser, u_10 = ri_6 <= N suchthat defined(s[ri_6], pk_R_3[ri_5, ri_6], k_6[ri_5, ri_6], ce_2[ri_5, ri_6]) && (pkgen(s[i''_1]) = pk_R_3[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S_4) && (ce_2[ri_5, ri_6] = cd_3) then + shared_secret_5: kemkey_t <- k_6[u_9, u_10]; + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(cd_3, skgen(s[i''_1]), pk_S_4) in + k'_3 <-R kemkey_t; + shared_secret_5: kemkey_t <- k'_3; + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on pk_S_4 (definition point kept, all usages removed) + - Remove assignments on cd_3 (definition removed, all usages removed) + - Remove assignments on shared_secret_5 (definition removed, all usages removed) + - Remove assignments on shared_secret_5 (definition removed, all usages removed) + - Remove assignments on shared_secret_5 (definition removed, all usages removed) + - Remove assignments on pk_S_3 (definition point kept, all usages removed) + - Remove assignments on cd_2 (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on pk_R_2 (definition removed, all usages removed) + - Remove assignments on shared_secret_3 (definition removed, all usages removed) + - Remove assignments on enc_4 (definition kept, array references kept) + - Remove assignments on pk_R_3 (definition removed, all usages removed) + - Remove assignments on k' (definition removed, all usages removed) + - Remove assignments on k_1 (definition removed, all usages removed) + - Remove assignments on k' (definition removed, all usages removed) + - Remove assignments on ce (definition kept, array references kept) +yields + +Game 20 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in + ce: kemciph_t <- ce_2; + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + pk_S_3: pkey_t <- cst_pkey_t; + {407} find u_20 = ri_16 <= Qdperuser, u_21 = ri_17 <= N suchthat defined(pk_3[ri_16, ri_17], enc_7[ri_16, ri_17], pk_S_3[ri_16, ri_17], s[ri_17], k'_2[ri_16, ri_17]) && {417}((pkgen(s) = pkgen(s[ri_17])) && (pk_3[ri_16, ri_17] = pk_3) && (enc_7[ri_16, ri_17] = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k'_2[u_20, u_21], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(pk_S, enc_star, pk_S_4, s[i''_1], k'_3) && {493}((pkgen(s) = pkgen(s[i''_1])) && (pk_S = pk_3) && (enc_star = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_16 = ri_12 <= Qeperuser, u_17 = ri_13 <= N suchthat defined(pk_2[ri_12, ri_13], k_3[ri_12, ri_13], s[ri_13], k_6[ri_12, ri_13], ce_2[ri_12, ri_13]) && {567}((pkgen(s) = pk_2[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_3) && (ce_2[ri_12, ri_13] = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k_6[u_16, u_17], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + pk_S_4: pkey_t <- cst_pkey_t; + {884} find u_13 = ri_9 <= Qdperuser, u_14 = ri_10 <= N suchthat defined(pk_3[ri_9, ri_10], enc_7[ri_9, ri_10], pk_S_3[ri_9, ri_10], s[ri_10], k'_2[ri_9, ri_10]) && {894}((pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_3[ri_9, ri_10] = pk_S) && (enc_7[ri_9, ri_10] = enc_star)) then + r_5: keys_t <- KeySchedule_auth(k'_2[u_13, u_14], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_9 = ri_5 <= Qeperuser, u_10 = ri_6 <= N suchthat defined(pk_2[ri_5, ri_6], k_3[ri_5, ri_6], s[ri_6], k_6[ri_5, ri_6], ce_2[ri_5, ri_6]) && {948}((pkgen(s[i''_1]) = pk_2[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S) && (ce_2[ri_5, ri_6] = enc_star)) then + r_5: keys_t <- KeySchedule_auth(k_6[u_9, u_10], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced ((pkgen(s[i''_1]) = pk_2[ri_5, ri_6]) && (pkgen(s[ri_6]) = pk_S) && (ce_2[ri_5, ri_6] = enc_star)) with ((i''_1 = u_8[ri_5, ri_6]) && (ri_6 = i'_1) && (ce_2[ri_5, ri_6] = enc_star)) at 948 + - Remove branch 2 in find at 884 + - Replaced ((pkgen(s[i''_1]) = pkgen(s[ri_10])) && (pk_3[ri_9, ri_10] = pk_S) && (enc_7[ri_9, ri_10] = enc_star)) with ((i''_1 = ri_10) && (u_22[ri_9, ri_10] = i'_1) && (enc_7[ri_9, ri_10] = enc_star)) at 894 + - In branch 1 of find at 884, substituting u_14 with i''_1 + - Replaced defined condition pk_3[ri_9, ri_10], enc_7[ri_9, ri_10], pk_S_3[ri_9, ri_10], s[ri_10], k'_2[ri_9, ri_10] with k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1] in find at 884 + - Replaced ((pkgen(s) = pk_2[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_3) && (ce_2[ri_12, ri_13] = enc_7)) with ((i = u_8[ri_12, ri_13]) && (pkgen(s[ri_13]) = pk_3) && (ce_2[ri_12, ri_13] = enc_7)) at 567 + - Remove branch 3 in find at 407 + - Replaced ((pkgen(s) = pkgen(s[i''_1])) && (pk_S = pk_3) && (enc_star = enc_7)) with ((i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7)) at 493 + - Replaced defined condition pk_S, enc_star, pk_S_4, s[i''_1], k'_3 with k'_3, enc_star, pk_S, i''_1 in find at 407 + - Replaced ((pkgen(s) = pkgen(s[ri_17])) && (pk_3[ri_16, ri_17] = pk_3) && (enc_7[ri_16, ri_17] = enc_7)) with ((i = ri_17) && (pk_3[ri_16, ri_17] = pk_3) && (enc_7[ri_16, ri_17] = enc_7)) at 417 + - In branch 1 of find at 407, substituting u_21 with i + - Replaced defined condition pk_3[ri_16, ri_17], enc_7[ri_16, ri_17], pk_S_3[ri_16, ri_17], s[ri_17], k'_2[ri_16, ri_17] with k'_2[ri_16], enc_7[ri_16], pk_3[ri_16] in find at 407 +yields + +Game 21 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in + ce: kemciph_t <- ce_2; + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + pk_S_3: pkey_t <- cst_pkey_t; + find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && {414}((i = i) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7)) then + u_21 <= N <- i; + r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + pk_S_4: pkey_t <- cst_pkey_t; + find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && {796}((i''_1 = i''_1) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star)) then + u_14 <= N <- i''_1; + r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced ((i''_1 = i''_1) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star)) with ((u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star)) at 796 + - Replaced ((i = i) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7)) with ((pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7)) at 414 +yields + +Game 22 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in + ce: kemciph_t <- ce_2; + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + pk_S_3: pkey_t <- cst_pkey_t; + find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + u_21 <= N <- i; + r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + pk_S_4: pkey_t <- cst_pkey_t; + find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + u_14 <= N <- i''_1; + r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to pk_S_4 + - Move assignment to pk_S_3 +yields + +Game 23 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in + ce: kemciph_t <- ce_2; + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + u_21 <= N <- i; + r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + u_14 <= N <- i''_1; + r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on u_14 (definition removed, all usages removed) + - Remove assignments on u_21 (definition removed, all usages removed) +yields + +Game 24 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = AuthEncap_r(k_3, pk_2, skgen(s)) in + ce: kemciph_t <- ce_2; + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_2, pk_2, skgen(s)) in + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence eliminate_failing(AuthEncap) + - Equivalence eliminate_failing(AuthEncap) +yields + +Game 25 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + {26} let AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) = (k_8: kemseed_t <- k_3; pk_5: pkey_t <- pk_2; sk_2: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key_r(k_8, pk_5, sk_2), AuthEncap_enc_r(k_8, pk_5, sk_2))) in + ce: kemciph_t <- ce_2; + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + let AuthEncap_tuple(k_1: kemkey_t, ce: kemciph_t) = AuthEncap_None in + enc_4: kemciph_t <- ce; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + {226} let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = (k_7: kemseed_t <- k_2; pk_4: pkey_t <- pk_2; sk_1: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key_r(k_7, pk_4, sk_1), AuthEncap_enc_r(k_7, pk_4, sk_1))) in + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_4: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_4, ct_8)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) (tuple expanded) at 226 + - Remove else branch of let at 226 + - Simplify pattern AuthEncap_tuple(k_6: kemkey_t, ce_2: kemciph_t) (tuple expanded) at 26 + - Remove else branch of let at 26 +yields + +Game 26 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + k_8: kemseed_t <- k_3; + pk_5: pkey_t <- pk_2; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_8, pk_5, sk_2); + k_6: kemkey_t <- AuthEncap_key_r(k_8, pk_5, sk_2); + ce: kemciph_t <- ce_2; + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + k_7: kemseed_t <- k_2; + pk_4: pkey_t <- pk_2; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_7, pk_4, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_7, pk_4, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(k'_1[ri_2, ri_3], ce[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(k'_1[ri, i'_1], ce[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on k_7 (definition removed, all usages removed) + - Remove assignments on pk_4 (definition removed, all usages removed) + - Remove assignments on k_8 (definition removed, all usages removed) + - Remove assignments on pk_5 (definition removed, all usages removed) + - Remove assignments on k_6 (definition removed, all usages removed) + - Remove assignments on ce (definition removed, all usages removed) +yields + +Game 27 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_6, u_7], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_2[u_20], info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2 <-R kemkey_t; + r_4: keys_t <- KeySchedule_auth(k'_2, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_1[u_4, i'_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + r_5: keys_t <- KeySchedule_auth(k'_2[u_13, i''_1], info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_star); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence prf(KeySchedule_auth) with k'_3, k'_2, k'_1 [probability Adv_PRF_KeySchedule(time_3, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec + #Oaenc)] + - Equivalence prf(KeySchedule_auth) with variables: k'_1 -> k_1, k'_2 -> k_1, k'_3 -> k_1 +yields + +Game 28 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + r_3: keys_t <- (x: bitstring <- info_5; {52}find [unique] u_37 = ri_43 <= Qdperuser, u_38 = ri_44 <= N suchthat defined(u_7[ri_43, ri_44], u_6[ri_43, ri_44], x_4[ri_43, ri_44], r_10[ri_43, ri_44]) && {61}((u_6[ri_43, ri_44] = iae) && (u_7[ri_43, ri_44] = i) && (x = x_4[ri_43, ri_44])) then r_10[u_37, u_38] orfind suchthat defined(i'_1, u_4, x_7, r_13) && {87}((u_4 = iae) && (i'_1 = i) && (x = x_7)) then r_13 else r_6 <-R keys_t; r_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + r_4: keys_t <- (x_4: bitstring <- info_6; find [unique] suchthat defined(x[u_6, u_7], r_6[u_6, u_7]) && (x_4 = x[u_6, u_7]) then r_6[u_6, u_7] orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(r_10[ri_39, ri_40], x_4[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (x_4 = x_4[ri_39, ri_40]) then r_10[u_35, u_36] orfind suchthat defined(r_13, x_7, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (x_4 = x_7) then r_13 else r_10 <-R keys_t; r_10); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + r_4: keys_t <- (x_2: bitstring <- info_6; find [unique] suchthat defined(x_1[u_20], r_7[u_20]) && (x_2 = x_1[u_20]) then r_7[u_20] orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(r_8[ri_33, ri_34], x_2[ri_33, ri_34], u_20[ri_33, ri_34]) && (u_20[ri_33, ri_34] = u_20) && (ri_34 = i) && (x_2 = x_2[ri_33, ri_34]) then r_8[u_31, u_32] orfind suchthat defined(r_12, x_6, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (x_2 = x_6) then r_12 else r_8 <-R keys_t; r_8); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + r_4: keys_t <- (x_3: bitstring <- info_6; find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (x_3 = x_3[ri_37, ri_38]) then r_9[u_33, u_34] orfind suchthat defined(x_5, r_11) && (x_3 = x_5) then r_11 else r_9 <-R keys_t; r_9); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2: kemkey_t <- cst_kemkey_t; + r_4: keys_t <- (x_1: bitstring <- info_6; {658}find [unique] u_29 = ri_29 <= Qdperuser, u_30 = ri_30 <= N suchthat defined(u_20[ri_29, ri_30], x_2[ri_29, ri_30], r_8[ri_29, ri_30]) && {665}((u_20[ri_29, ri_30] = iad) && (ri_30 = i) && (x_1 = x_2[ri_29, ri_30])) then r_8[u_29, u_30] orfind suchthat defined(i''_1, u_13, x_6, r_12) && {689}((u_13 = iad) && (i''_1 = i) && (x_1 = x_6)) then r_12 else r_7 <-R keys_t; r_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + r_5: keys_t <- (x_7: bitstring <- info_star; find [unique] suchthat defined(x[u_4, i'_1], r_6[u_4, i'_1]) && (x_7 = x[u_4, i'_1]) then r_6[u_4, i'_1] orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], x_4[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (x_7 = x_4[ri_25, ri_26]) then r_10[u_27, u_28] else r_13 <-R keys_t; r_13); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + r_5: keys_t <- (x_6: bitstring <- info_star; find [unique] suchthat defined(x_1[u_13, i''_1], r_7[u_13, i''_1]) && (x_6 = x_1[u_13, i''_1]) then r_7[u_13, i''_1] orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(r_8[ri_21, ri_22], x_2[ri_21, ri_22], u_20[ri_21, ri_22]) && (u_20[ri_21, ri_22] = u_13) && (ri_22 = i''_1) && (x_6 = x_2[ri_21, ri_22]) then r_8[u_25, u_26] else r_12 <-R keys_t; r_12); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3: kemkey_t <- cst_kemkey_t; + r_5: keys_t <- (x_5: bitstring <- info_star; {1050}find [unique] else r_11 <-R keys_t; r_11); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify (non-expanded game) [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced ((u_4 = iae) && (i'_1 = i) && (x = x_7)) with false at 87 + - Remove branch 2 in find at 52 + - Replaced ((u_6[ri_43, ri_44] = iae) && (u_7[ri_43, ri_44] = i) && (x = x_4[ri_43, ri_44])) with false at 61 + - Remove branch 1 in find at 52 + - Find at 52 removed (else branch kept if any) + - Replaced ((u_13 = iad) && (i''_1 = i) && (x_1 = x_6)) with false at 689 + - Remove branch 2 in find at 658 + - Replaced ((u_20[ri_29, ri_30] = iad) && (ri_30 = i) && (x_1 = x_2[ri_29, ri_30])) with false at 665 + - Remove branch 1 in find at 658 + - Find at 658 removed (else branch kept if any) + - Find at 1050 removed (else branch kept if any) +yields + +Game 29 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + r_3: keys_t <- (x: bitstring <- info_5; r_6 <-R keys_t; r_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + r_4: keys_t <- (x_4: bitstring <- info_6; find [unique] suchthat defined(x[u_6, u_7], r_6[u_6, u_7]) && (x_4 = x[u_6, u_7]) then r_6[u_6, u_7] orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(r_10[ri_39, ri_40], x_4[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (x_4 = x_4[ri_39, ri_40]) then r_10[u_35, u_36] orfind suchthat defined(r_13, x_7, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (x_4 = x_7) then r_13 else r_10 <-R keys_t; r_10); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + r_4: keys_t <- (x_2: bitstring <- info_6; find [unique] suchthat defined(x_1[u_20], r_7[u_20]) && (x_2 = x_1[u_20]) then r_7[u_20] orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(r_8[ri_33, ri_34], x_2[ri_33, ri_34], u_20[ri_33, ri_34]) && (u_20[ri_33, ri_34] = u_20) && (ri_34 = i) && (x_2 = x_2[ri_33, ri_34]) then r_8[u_31, u_32] orfind suchthat defined(r_12, x_6, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (x_2 = x_6) then r_12 else r_8 <-R keys_t; r_8); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + r_4: keys_t <- (x_3: bitstring <- info_6; find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (x_3 = x_3[ri_37, ri_38]) then r_9[u_33, u_34] orfind suchthat defined(x_5, r_11) && (x_3 = x_5) then r_11 else r_9 <-R keys_t; r_9); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2: kemkey_t <- cst_kemkey_t; + r_4: keys_t <- (x_1: bitstring <- info_6; r_7 <-R keys_t; r_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + r_5: keys_t <- (x_7: bitstring <- info_star; find [unique] suchthat defined(x[u_4, i'_1], r_6[u_4, i'_1]) && (x_7 = x[u_4, i'_1]) then r_6[u_4, i'_1] orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], x_4[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (x_7 = x_4[ri_25, ri_26]) then r_10[u_27, u_28] else r_13 <-R keys_t; r_13); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + r_5: keys_t <- (x_6: bitstring <- info_star; find [unique] suchthat defined(x_1[u_13, i''_1], r_7[u_13, i''_1]) && (x_6 = x_1[u_13, i''_1]) then r_7[u_13, i''_1] orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(r_8[ri_21, ri_22], x_2[ri_21, ri_22], u_20[ri_21, ri_22]) && (u_20[ri_21, ri_22] = u_13) && (ri_22 = i''_1) && (x_6 = x_2[ri_21, ri_22]) then r_8[u_25, u_26] else r_12 <-R keys_t; r_12); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3: kemkey_t <- cst_kemkey_t; + r_5: keys_t <- (x_5: bitstring <- info_star; r_11 <-R keys_t; r_11); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 30 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + x: bitstring <- info_5; + r_6 <-R keys_t; + r_3: keys_t <- r_6; + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + x_4: bitstring <- info_6; + find [unique] suchthat defined(x[u_6, u_7], r_6[u_6, u_7]) && (x_4 = x[u_6, u_7]) then + r_4: keys_t <- r_6[u_6, u_7]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(r_10[ri_39, ri_40], x_4[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (x_4 = x_4[ri_39, ri_40]) then + r_4: keys_t <- r_10[u_35, u_36]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, x_7, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (x_4 = x_7) then + r_4: keys_t <- r_13; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + r_4: keys_t <- r_10; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(k'_2[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + x_2: bitstring <- info_6; + find [unique] suchthat defined(x_1[u_20], r_7[u_20]) && (x_2 = x_1[u_20]) then + r_4: keys_t <- r_7[u_20]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(r_8[ri_33, ri_34], x_2[ri_33, ri_34], u_20[ri_33, ri_34]) && (u_20[ri_33, ri_34] = u_20) && (ri_34 = i) && (x_2 = x_2[ri_33, ri_34]) then + r_4: keys_t <- r_8[u_31, u_32]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_12, x_6, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (x_2 = x_6) then + r_4: keys_t <- r_12; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + r_4: keys_t <- r_8; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(k'_3, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + x_3: bitstring <- info_6; + find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (x_3 = x_3[ri_37, ri_38]) then + r_4: keys_t <- r_9[u_33, u_34]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(x_5, r_11) && (x_3 = x_5) then + r_4: keys_t <- r_11; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + r_4: keys_t <- r_9; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + k'_2: kemkey_t <- cst_kemkey_t; + x_1: bitstring <- info_6; + r_7 <-R keys_t; + r_4: keys_t <- r_7; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + x_7: bitstring <- info_star; + find [unique] suchthat defined(x[u_4, i'_1], r_6[u_4, i'_1]) && (x_7 = x[u_4, i'_1]) then + r_5: keys_t <- r_6[u_4, i'_1]; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], x_4[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (x_7 = x_4[ri_25, ri_26]) then + r_5: keys_t <- r_10[u_27, u_28]; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + r_5: keys_t <- r_13; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(k'_2[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + x_6: bitstring <- info_star; + find [unique] suchthat defined(x_1[u_13, i''_1], r_7[u_13, i''_1]) && (x_6 = x_1[u_13, i''_1]) then + r_5: keys_t <- r_7[u_13, i''_1]; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(r_8[ri_21, ri_22], x_2[ri_21, ri_22], u_20[ri_21, ri_22]) && (u_20[ri_21, ri_22] = u_13) && (ri_22 = i''_1) && (x_6 = x_2[ri_21, ri_22]) then + r_5: keys_t <- r_8[u_25, u_26]; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + r_5: keys_t <- r_12; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + k'_3: kemkey_t <- cst_kemkey_t; + x_5: bitstring <- info_star; + r_11 <-R keys_t; + r_5: keys_t <- r_11; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on k'_3 (definition removed, all usages removed) + - Remove assignments on x_5 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on x_6 (definition point kept, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on x_7 (definition point kept, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on k'_2 (definition removed, all usages removed) + - Remove assignments on x_1 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on x_2 (definition point kept, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on x_3 (definition point kept, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on x_4 (definition point kept, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on x (definition removed, all usages removed) + - Remove assignments on r_3 (definition removed, all usages removed) +yields + +Game 31 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + {177} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + x_4: bitstring <- cst_bitstring; + {208} find [unique] suchthat defined(info_5[u_6, u_7], ce_2[u_6, u_7], r_6[u_6, u_7]) && (info_6 = info_5[u_6, u_7]) then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser, u_36 = ri_40 <= N suchthat defined(info_6[ri_39, ri_40], x_4[ri_39, ri_40], r_10[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40]) && (u_6[ri_39, ri_40] = u_6) && (u_7[ri_39, ri_40] = u_7) && (info_6 = info_6[ri_39, ri_40]) then + nonce_9: nonce_t <- get2(r_10[u_35, u_36]); + key_8: key_t <- get1(r_10[u_35, u_36]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(info_star, x_7, r_13, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + {458} find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + x_2: bitstring <- cst_bitstring; + {482} find [unique] suchthat defined(info_6[u_20], r_7[u_20]) && (info_6 = info_6[u_20]) then + nonce_9: nonce_t <- get2(r_7[u_20]); + key_8: key_t <- get1(r_7[u_20]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser, u_32 = ri_34 <= N suchthat defined(info_6[ri_33, ri_34], x_2[ri_33, ri_34], r_8[ri_33, ri_34], u_20[ri_33, ri_34]) && (u_20[ri_33, ri_34] = u_20) && (ri_34 = i) && (info_6 = info_6[ri_33, ri_34]) then + nonce_9: nonce_t <- get2(r_8[u_31, u_32]); + key_8: key_t <- get1(r_8[u_31, u_32]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(info_star, x_6, r_12, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_12); + key_8: key_t <- get1(r_12); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_11, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + x_3: bitstring <- cst_bitstring; + {725} find [unique] u_33 = ri_37 <= Qdperuser, u_34 = ri_38 <= N suchthat defined(info_6[ri_37, ri_38], x_3[ri_37, ri_38], r_9[ri_37, ri_38]) && (info_6 = info_6[ri_37, ri_38]) then + nonce_9: nonce_t <- get2(r_9[u_33, u_34]); + key_8: key_t <- get1(r_9[u_33, u_34]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(info_star, r_11) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_11); + key_8: key_t <- get1(r_11); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else +{1053} find u_4 = ri <= Qeperuser suchthat defined(ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + x_7: bitstring <- cst_bitstring; +{1073} find [unique] suchthat defined(info_5[u_4, i'_1], ce_2[u_4, i'_1], r_6[u_4, i'_1]) && (info_star = info_5[u_4, i'_1]) then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(info_6[ri_25, ri_26], x_4[ri_25, ri_26], r_10[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else +{1179} find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + x_6: bitstring <- cst_bitstring; +{1199} find [unique] suchthat defined(info_6[u_13, i''_1], r_7[u_13, i''_1]) && (info_star = info_6[u_13, i''_1]) then + nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); + key_10: key_t <- get1(r_7[u_13, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser, u_26 = ri_22 <= N suchthat defined(info_6[ri_21, ri_22], x_2[ri_21, ri_22], r_8[ri_21, ri_22], u_20[ri_21, ri_22]) && (u_20[ri_21, ri_22] = u_13) && (ri_22 = i''_1) && (info_star = info_6[ri_21, ri_22]) then + nonce_12: nonce_t <- get2(r_8[u_25, u_26]); + key_10: key_t <- get1(r_8[u_25, u_26]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + nonce_12: nonce_t <- get2(r_12); + key_10: key_t <- get1(r_12); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_11 <-R keys_t; + nonce_12: nonce_t <- get2(r_11); + key_10: key_t <- get1(r_11); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - In branch 2 of find at 1199, substituting u_26 with i''_1 + - Replaced defined condition info_6[ri_21, ri_22], x_2[ri_21, ri_22], r_8[ri_21, ri_22], u_20[ri_21, ri_22] with r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1] in find at 1199 + - Replaced defined condition info_6[u_13, i''_1], r_7[u_13, i''_1] with an empty condition in find at 1199 + - Replaced defined condition r_7[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1] with r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1] in find at 1179 + - Replaced defined condition info_6[ri_25, ri_26], x_4[ri_25, ri_26], r_10[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26] with r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26] in find at 1073 + - Replaced defined condition info_5[u_4, i'_1], ce_2[u_4, i'_1], r_6[u_4, i'_1] with an empty condition in find at 1073 + - Replaced defined condition ce_2[ri, i'_1], k'_1[ri, i'_1], u_8[ri, i'_1] with r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1] in find at 1053 + - Replaced defined condition info_star, r_11 with an empty condition in find at 725 + - In branch 1 of find at 725, substituting u_34 with i + - Replaced defined condition info_6[ri_37, ri_38], x_3[ri_37, ri_38], r_9[ri_37, ri_38] with r_9[ri_37], info_6[ri_37] in find at 725 + - Replaced defined condition r_11, enc_star, pk_S, i''_1 with r_11, info_star, enc_star, pk_S, i''_1 in find at 458 + - Replaced defined condition info_star, x_6, r_12, i''_1, u_13 with r_12, info_star, i''_1, u_13 in find at 482 + - In branch 2 of find at 482, substituting u_32 with i + - Replaced defined condition info_6[ri_33, ri_34], x_2[ri_33, ri_34], r_8[ri_33, ri_34], u_20[ri_33, ri_34] with r_8[ri_33], info_6[ri_33], u_20[ri_33] in find at 482 + - Replaced defined condition info_6[u_20], r_7[u_20] with an empty condition in find at 482 + - Replaced defined condition r_7[ri_16], enc_7[ri_16], pk_3[ri_16] with r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16] in find at 458 + - Replaced defined condition info_star, x_7, r_13, i'_1, u_4 with r_13, info_star, i'_1, u_4 in find at 208 + - In branch 2 of find at 208, substituting u_36 with i + - Replaced defined condition info_6[ri_39, ri_40], x_4[ri_39, ri_40], r_10[ri_39, ri_40], u_7[ri_39, ri_40], u_6[ri_39, ri_40] with r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39] in find at 208 + - Replaced defined condition info_5[u_6, u_7], ce_2[u_6, u_7], r_6[u_6, u_7] with an empty condition in find at 208 + - Replaced defined condition ce_2[ri_2, ri_3], k'_1[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] with r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] in find at 177 +yields + +Game 32 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + x_4: bitstring <- cst_bitstring; + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + u_36 <= N <- i; + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + x_2: bitstring <- cst_bitstring; + find [unique] suchthat info_6 = info_6[u_20] then + nonce_9: nonce_t <- get2(r_7[u_20]); + key_8: key_t <- get1(r_7[u_20]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && {524}((u_20[ri_33] = u_20) && (i = i) && (info_6 = info_6[ri_33])) then + u_32 <= N <- i; + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_12); + key_8: key_t <- get1(r_12); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + x_3: bitstring <- cst_bitstring; + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + u_34 <= N <- i; + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- get2(r_11); + key_8: key_t <- get1(r_11); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + x_7: bitstring <- cst_bitstring; + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + x_6: bitstring <- cst_bitstring; + find [unique] suchthat info_star = info_6[u_13, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); + key_10: key_t <- get1(r_7[u_13, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && {1199}((u_20[ri_21, i''_1] = u_13) && (i''_1 = i''_1) && (info_star = info_6[ri_21, i''_1])) then + u_26 <= N <- i''_1; + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + nonce_12: nonce_t <- get2(r_12); + key_10: key_t <- get1(r_12); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_11 <-R keys_t; + nonce_12: nonce_t <- get2(r_11); + key_10: key_t <- get1(r_11); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced ((u_20[ri_21, i''_1] = u_13) && (i''_1 = i''_1) && (info_star = info_6[ri_21, i''_1])) with ((u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1])) at 1199 + - Replaced ((u_20[ri_33] = u_20) && (i = i) && (info_6 = info_6[ri_33])) with ((u_20[ri_33] = u_20) && (info_6 = info_6[ri_33])) at 524 +yields + +Game 33 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + x_4: bitstring <- cst_bitstring; + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + u_36 <= N <- i; + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + x_2: bitstring <- cst_bitstring; + find [unique] suchthat info_6 = info_6[u_20] then + nonce_9: nonce_t <- get2(r_7[u_20]); + key_8: key_t <- get1(r_7[u_20]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + u_32 <= N <- i; + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_12); + key_8: key_t <- get1(r_12); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + x_3: bitstring <- cst_bitstring; + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + u_34 <= N <- i; + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- get2(r_11); + key_8: key_t <- get1(r_11); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + x_7: bitstring <- cst_bitstring; + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + x_6: bitstring <- cst_bitstring; + find [unique] suchthat info_star = info_6[u_13, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); + key_10: key_t <- get1(r_7[u_13, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + u_26 <= N <- i''_1; + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + nonce_12: nonce_t <- get2(r_12); + key_10: key_t <- get1(r_12); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_11 <-R keys_t; + nonce_12: nonce_t <- get2(r_11); + key_10: key_t <- get1(r_11); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to x_6 + - Move assignment to x_7 + - Move assignment to x_2 + - Move assignment to x_3 + - Move assignment to x_4 +yields + +Game 34 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + k'_1: kemkey_t <- cst_kemkey_t; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + k'_1: kemkey_t <- cst_kemkey_t; + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + u_36 <= N <- i; + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + nonce_9: nonce_t <- get2(r_7[u_20]); + key_8: key_t <- get1(r_7[u_20]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + u_32 <= N <- i; + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_12); + key_8: key_t <- get1(r_12); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + u_34 <= N <- i; + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- get2(r_11); + key_8: key_t <- get1(r_11); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); + key_10: key_t <- get1(r_7[u_13, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + u_26 <= N <- i''_1; + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + nonce_12: nonce_t <- get2(r_12); + key_10: key_t <- get1(r_12); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_11 <-R keys_t; + nonce_12: nonce_t <- get2(r_11); + key_10: key_t <- get1(r_11); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on u_26 (definition removed, all usages removed) + - Remove assignments on u_32 (definition removed, all usages removed) + - Remove assignments on u_34 (definition removed, all usages removed) + - Remove assignments on u_36 (definition removed, all usages removed) + - Remove assignments on k'_1 (definition removed, all usages removed) + - Remove assignments on k'_1 (definition removed, all usages removed) +yields + +Game 35 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + nonce_9: nonce_t <- get2(r_7[u_20]); + key_8: key_t <- get1(r_7[u_20]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_12); + key_8: key_t <- get1(r_12); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- get2(r_11); + key_8: key_t <- get1(r_11); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); + key_10: key_t <- get1(r_7[u_13, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + nonce_12: nonce_t <- get2(r_12); + key_10: key_t <- get1(r_12); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + r_11 <-R keys_t; + nonce_12: nonce_t <- get2(r_11); + key_10: key_t <- get1(r_11); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_11 -> r +yields + +Game 36 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + nonce_9: nonce_t <- get2(r_7[u_20]); + key_8: key_t <- get1(r_7[u_20]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_12); + key_8: key_t <- get1(r_12); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); + key_10: key_t <- get1(r_7[u_13, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_12 <-R keys_t; + nonce_12: nonce_t <- get2(r_12); + key_10: key_t <- get1(r_12); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_12 -> r +yields + +Game 37 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- get2(r_13); + key_8: key_t <- get1(r_13); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + nonce_9: nonce_t <- get2(r_7[u_20]); + key_8: key_t <- get1(r_7[u_20]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + r_13 <-R keys_t; + nonce_12: nonce_t <- get2(r_13); + key_10: key_t <- get1(r_13); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); + key_10: key_t <- get1(r_7[u_13, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_13 -> r +yields + +Game 38 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_2; + key_8: key_t <- part1_2; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + nonce_9: nonce_t <- get2(r_7[u_20]); + key_8: key_t <- get1(r_7[u_20]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_7 <-R keys_t; + nonce_9: nonce_t <- get2(r_7); + key_8: key_t <- get1(r_7); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_13: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_2; + key_10: key_t <- part1_2; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + nonce_12: nonce_t <- get2(r_7[u_13, i''_1]); + key_10: key_t <- get1(r_7[u_13, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_7 -> r +yields + +Game 39 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_2; + key_8: key_t <- part1_2; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + nonce_9: nonce_t <- part2_3[u_20]; + key_8: key_t <- part1_3[u_20]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- get2(r_9[u_33]); + key_8: key_t <- get1(r_9[u_33]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_9 <-R keys_t; + nonce_9: nonce_t <- get2(r_9); + key_8: key_t <- get1(r_9); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_3; + key_8: key_t <- part1_3; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_13: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_2; + key_10: key_t <- part1_2; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + nonce_12: nonce_t <- part2_3[u_13, i''_1]; + key_10: key_t <- part1_3[u_13, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_9 -> r +yields + +Game 40 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_2; + key_8: key_t <- part1_2; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + nonce_9: nonce_t <- part2_3[u_20]; + key_8: key_t <- part1_3[u_20]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- get2(r_8[u_31]); + key_8: key_t <- get1(r_8[u_31]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_8 <-R keys_t; + nonce_9: nonce_t <- get2(r_8); + key_8: key_t <- get1(r_8); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- part2_4[u_33]; + key_8: key_t <- part1_4[u_33]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + r_9: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_4; + key_8: key_t <- part1_4; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_3; + key_8: key_t <- part1_3; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_13: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_2; + key_10: key_t <- part1_2; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + nonce_12: nonce_t <- part2_3[u_13, i''_1]; + key_10: key_t <- part1_3[u_13, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- get2(r_8[u_25, i''_1]); + key_10: key_t <- get1(r_8[u_25, i''_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_8 -> r +yields + +Game 41 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- get2(r_10[u_35]); + key_8: key_t <- get1(r_10[u_35]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_2; + key_8: key_t <- part1_2; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_10 <-R keys_t; + nonce_9: nonce_t <- get2(r_10); + key_8: key_t <- get1(r_10); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + nonce_9: nonce_t <- part2_3[u_20]; + key_8: key_t <- part1_3[u_20]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- part2_5[u_31]; + key_8: key_t <- part1_5[u_31]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + r_8: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_5; + key_8: key_t <- part1_5; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- part2_4[u_33]; + key_8: key_t <- part1_4[u_33]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + r_9: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_4; + key_8: key_t <- part1_4; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_3; + key_8: key_t <- part1_3; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- get2(r_10[u_27, u_28]); + key_10: key_t <- get1(r_10[u_27, u_28]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_13: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_2; + key_10: key_t <- part1_2; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + nonce_12: nonce_t <- part2_3[u_13, i''_1]; + key_10: key_t <- part1_3[u_13, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- part2_5[u_25, i''_1]; + key_10: key_t <- part1_5[u_25, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_10 -> r +yields + +Game 42 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + r_6 <-R keys_t; + nonce_6: nonce_t <- get2(r_6); + key_6: key_t <- get1(r_6); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- get2(r_6[u_6, u_7]); + key_8: key_t <- get1(r_6[u_6, u_7]); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- part2_6[u_35]; + key_8: key_t <- part1_6[u_35]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_2; + key_8: key_t <- part1_2; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + r_10: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_6; + key_8: key_t <- part1_6; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + nonce_9: nonce_t <- part2_3[u_20]; + key_8: key_t <- part1_3[u_20]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- part2_5[u_31]; + key_8: key_t <- part1_5[u_31]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + r_8: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_5; + key_8: key_t <- part1_5; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- part2_4[u_33]; + key_8: key_t <- part1_4[u_33]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + r_9: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_4; + key_8: key_t <- part1_4; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_3; + key_8: key_t <- part1_3; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- get2(r_6[u_4, i'_1]); + key_10: key_t <- get1(r_6[u_4, i'_1]); + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- part2_6[u_27, u_28]; + key_10: key_t <- part1_6[u_27, u_28]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_13: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_2; + key_10: key_t <- part1_2; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + nonce_12: nonce_t <- part2_3[u_13, i''_1]; + key_10: key_t <- part1_3[u_13, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- part2_5[u_25, i''_1]; + key_10: key_t <- part1_5[u_25, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_6 -> r +yields + +Game 43 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + r_6: keys_t <- cst_keys_t; + nonce_6: nonce_t <- part2_7; + key_6: key_t <- part1_7; + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part2_7[ri_2, ri_3], part1_7[ri_2, ri_3], r_6[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + nonce_9: nonce_t <- part2_7[u_6, u_7]; + key_8: key_t <- part1_7[u_6, u_7]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], r_10[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + nonce_9: nonce_t <- part2_6[u_35]; + key_8: key_t <- part1_6[u_35]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, r_13, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_2; + key_8: key_t <- part1_2; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + r_10: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_6; + key_8: key_t <- part1_6; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], r_7[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + nonce_9: nonce_t <- part2_3[u_20]; + key_8: key_t <- part1_3[u_20]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], r_8[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + nonce_9: nonce_t <- part2_5[u_31]; + key_8: key_t <- part1_5[u_31]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, r_12, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + r_8: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_5; + key_8: key_t <- part1_5; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, r_11, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], r_9[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + nonce_9: nonce_t <- part2_4[u_33]; + key_8: key_t <- part1_4[u_33]; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + nonce_9: nonce_t <- part2; + key_8: key_t <- part1; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + r_9: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_4; + key_8: key_t <- part1_4; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_3; + key_8: key_t <- part1_3; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part2_7[ri, i'_1], part1_7[ri, i'_1], r_6[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + nonce_12: nonce_t <- part2_7[u_4, i'_1]; + key_10: key_t <- part1_7[u_4, i'_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], r_10[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + nonce_12: nonce_t <- part2_6[u_27, u_28]; + key_10: key_t <- part1_6[u_27, u_28]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_13: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_2; + key_10: key_t <- part1_2; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], r_7[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + nonce_12: nonce_t <- part2_3[u_13, i''_1]; + key_10: key_t <- part1_3[u_13, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], r_8[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + nonce_12: nonce_t <- part2_5[u_25, i''_1]; + key_10: key_t <- part1_5[u_25, i''_1]; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_12: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2_1; + key_10: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + r_11: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, key_10, nonce_12) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on r_11 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on r_12 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on r_13 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on r_7 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on r_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on r_9 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on r_10 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on r_6 (definition removed, all usages removed) + - Remove assignments on nonce_6 (definition removed, all usages removed) + - Remove assignments on key_6 (definition removed, all usages removed) +yields + +Game 44 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + ct_8: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part2_7[ri_2, ri_3], part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_7[u_6, u_7], part2_7[u_6, u_7]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part2_6[ri_39], part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_6[u_35], part2_6[u_35]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_2, part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_2, part2_2) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_6, part2_6) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(part2_3[ri_16], part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_3[u_20], part2_3[u_20]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part2_5[ri_33], part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_5[u_31], part2_5[u_31]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2_1, part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_5, part2_5) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part2, part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1, part2) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_3, part2_3) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part2_7[ri, i'_1], part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_7[u_4, i'_1], part2_7[u_4, i'_1]) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part2_6[ri_25, ri_26], part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_6[u_27, u_28], part2_6[u_27, u_28]) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_2, part2_2) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(part2_3[ri_9, i''_1], part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_3[u_13, i''_1], part2_3[u_13, i''_1]) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part2_5[ri_21, i''_1], part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_5[u_25, i''_1], part2_5[u_25, i''_1]) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1_1, part2_1) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(ciph_star, aad_star, part1, part2) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence int_ctxt(Seal_inner) with part1, part1_1, part1_5, part1_3, part1_2, part1_6, part1_7 [probability Adv_ctxt(time_4, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec)] + - Equivalence int_ctxt(Seal_inner) with variables: part2_2 -> n, part2_6 -> n, part2 -> n, part2_1 -> n, part2_5 -> n, part2_3 -> n, part2_7 -> n, part1_7 -> k_1, part1_6 -> k_1, part1_2 -> k_1, part1_3 -> k_1, part1_5 -> k_1, part1_1 -> k_1, part1 -> k_1 +yields + +Game 45 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + ct_8: bitstring <- (x_8: bitstring <- m; d: bitstring <- aad_8; r_14: bitstring <- Seal_inner(x_8, d, part1_7, part2_7); r_14); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + let injbot(pt_6: bitstring) = (y_7: bitstring <- c; c_d_7: bitstring <- aad_9; if defined(x_8[u_6, u_7], d[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = y_7) && (d[u_6, u_7] = c_d_7) then injbot(x_8[u_6, u_7]) else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + let injbot(pt_6: bitstring) = (y_8: bitstring <- c; c_d_8: bitstring <- aad_9; {328}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + let injbot(pt_6: bitstring) = (y_9: bitstring <- c; c_d_9: bitstring <- aad_9; {369}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + let injbot(pt_6: bitstring) = (y_6: bitstring <- c; c_d_6: bitstring <- aad_9; {395}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + let injbot(pt_6: bitstring) = (y_2: bitstring <- c; c_d_2: bitstring <- aad_9; {453}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + let injbot(pt_6: bitstring) = (y_3: bitstring <- c; c_d_3: bitstring <- aad_9; {498}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + let injbot(pt_6: bitstring) = (y_4: bitstring <- c; c_d_4: bitstring <- aad_9; {537}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + let injbot(pt_6: bitstring) = (y_1: bitstring <- c; c_d_1: bitstring <- aad_9; {563}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + let injbot(pt_6: bitstring) = (y_5: bitstring <- c; c_d_5: bitstring <- aad_9; {652}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + let injbot(pt_6: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_9; {727}find else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + let injbot(pt_7: bitstring) = (y_15: bitstring <- ciph_star; c_d_15: bitstring <- aad_star; if defined(x_8[u_4, i'_1], d[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = y_15) && (d[u_4, i'_1] = c_d_15) then injbot(x_8[u_4, i'_1]) else bottom) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + let injbot(pt_7: bitstring) = (y_16: bitstring <- ciph_star; c_d_16: bitstring <- aad_star; {957}find else bottom) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + let injbot(pt_7: bitstring) = (y_14: bitstring <- ciph_star; c_d_14: bitstring <- aad_star; {971}find else bottom) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + let injbot(pt_7: bitstring) = (y_12: bitstring <- ciph_star; c_d_12: bitstring <- aad_star; {1009}find else bottom) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + let injbot(pt_7: bitstring) = (y_13: bitstring <- ciph_star; c_d_13: bitstring <- aad_star; {1038}find else bottom) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = (y_11: bitstring <- ciph_star; c_d_11: bitstring <- aad_star; {1052}find else bottom) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + let injbot(pt_7: bitstring) = (y_10: bitstring <- ciph_star; c_d_10: bitstring <- aad_star; {1073}find else bottom) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify (non-expanded game) + - Simplification pass + - Find at 328 removed (else branch kept if any) + - Find at 369 removed (else branch kept if any) + - Find at 395 removed (else branch kept if any) + - Find at 453 removed (else branch kept if any) + - Find at 498 removed (else branch kept if any) + - Find at 537 removed (else branch kept if any) + - Find at 563 removed (else branch kept if any) + - Find at 652 removed (else branch kept if any) + - Find at 727 removed (else branch kept if any) + - Find at 957 removed (else branch kept if any) + - Find at 971 removed (else branch kept if any) + - Find at 1009 removed (else branch kept if any) + - Find at 1038 removed (else branch kept if any) + - Find at 1052 removed (else branch kept if any) + - Find at 1073 removed (else branch kept if any) +yields + +Game 46 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + ct_8: bitstring <- (x_8: bitstring <- m; d: bitstring <- aad_8; r_14: bitstring <- Seal_inner(x_8, d, part1_7, part2_7); r_14); + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + {215} let injbot(pt_6: bitstring) = (y_7: bitstring <- c; c_d_7: bitstring <- aad_9; if defined(x_8[u_6, u_7], d[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = y_7) && (d[u_6, u_7] = c_d_7) then injbot(x_8[u_6, u_7]) else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + {319} let injbot(pt_6: bitstring) = (y_8: bitstring <- c; c_d_8: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + {359} let injbot(pt_6: bitstring) = (y_9: bitstring <- c; c_d_9: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + {384} let injbot(pt_6: bitstring) = (y_6: bitstring <- c; c_d_6: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + {441} let injbot(pt_6: bitstring) = (y_2: bitstring <- c; c_d_2: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + {485} let injbot(pt_6: bitstring) = (y_3: bitstring <- c; c_d_3: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + {523} let injbot(pt_6: bitstring) = (y_4: bitstring <- c; c_d_4: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + {548} let injbot(pt_6: bitstring) = (y_1: bitstring <- c; c_d_1: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + {636} let injbot(pt_6: bitstring) = (y_5: bitstring <- c; c_d_5: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + {710} let injbot(pt_6: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_9; bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + {885} let injbot(pt_7: bitstring) = (y_15: bitstring <- ciph_star; c_d_15: bitstring <- aad_star; if defined(x_8[u_4, i'_1], d[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = y_15) && (d[u_4, i'_1] = c_d_15) then injbot(x_8[u_4, i'_1]) else bottom) in + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + {943} let injbot(pt_7: bitstring) = (y_16: bitstring <- ciph_star; c_d_16: bitstring <- aad_star; bottom) in + event_abort adv_wins + else + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + {956} let injbot(pt_7: bitstring) = (y_14: bitstring <- ciph_star; c_d_14: bitstring <- aad_star; bottom) in + event_abort adv_wins + else + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + {993} let injbot(pt_7: bitstring) = (y_12: bitstring <- ciph_star; c_d_12: bitstring <- aad_star; bottom) in + event_abort adv_wins + else + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then +{1021} let injbot(pt_7: bitstring) = (y_13: bitstring <- ciph_star; c_d_13: bitstring <- aad_star; bottom) in + event_abort adv_wins + else + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; +{1034} let injbot(pt_7: bitstring) = (y_11: bitstring <- ciph_star; c_d_11: bitstring <- aad_star; bottom) in + event_abort adv_wins + else + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; +{1054} let injbot(pt_7: bitstring) = (y_10: bitstring <- ciph_star; c_d_10: bitstring <- aad_star; bottom) in + event_abort adv_wins + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand [probability N^2 * P_pk_coll] + - Expand if/find/let + - Remove let at 1054 + - Remove let at 1034 + - Remove let at 1021 + - Remove let at 993 + - Remove let at 956 + - Remove let at 943 + - Remove let at 885 + - Simplify pattern injbot(pt_7: bitstring) (tuple expanded) at 885 + - Remove else branch of let at 885 + - Remove let at 710 + - Remove let at 636 + - Remove let at 548 + - Remove let at 523 + - Remove let at 485 + - Remove let at 441 + - Remove let at 384 + - Remove let at 359 + - Remove let at 319 + - Remove let at 215 + - Simplify pattern injbot(pt_6: bitstring) (tuple expanded) at 215 + - Remove else branch of let at 215 +yields + +Game 47 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + x_8: bitstring <- m; + d: bitstring <- aad_8; + r_14: bitstring <- Seal_inner(x_8, d, part1_7, part2_7); + ct_8: bitstring <- r_14; + return(SealAuth_Some(ce_2, ct_8)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat info_6 = info_5[u_6, u_7] then + y_7: bitstring <- c; + c_d_7: bitstring <- aad_9; + if defined(x_8[u_6, u_7], d[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = y_7) && (d[u_6, u_7] = c_d_7) then + pt_6: bitstring <- x_8[u_6, u_7]; + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + y_8: bitstring <- c; + c_d_8: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + y_9: bitstring <- c; + c_d_9: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + y_6: bitstring <- c; + c_d_6: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + y_2: bitstring <- c; + c_d_2: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + y_3: bitstring <- c; + c_d_3: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + y_4: bitstring <- c; + c_d_4: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + else + part2_5 <-R nonce_t; + part1_5 <-R key_t; + y_1: bitstring <- c; + c_d_1: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + y_5: bitstring <- c; + c_d_5: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part2_3 <-R nonce_t; + part1_3 <-R key_t; + y: bitstring <- c; + c_d: bitstring <- aad_9; + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] suchthat info_star = info_5[u_4, i'_1] then + y_15: bitstring <- ciph_star; + c_d_15: bitstring <- aad_star; + if defined(x_8[u_4, i'_1], d[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = y_15) && (d[u_4, i'_1] = c_d_15) then + pt_7: bitstring <- x_8[u_4, i'_1]; + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + y_16: bitstring <- ciph_star; + c_d_16: bitstring <- aad_star; + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + y_14: bitstring <- ciph_star; + c_d_14: bitstring <- aad_star; + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + y_12: bitstring <- ciph_star; + c_d_12: bitstring <- aad_star; + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + y_13: bitstring <- ciph_star; + c_d_13: bitstring <- aad_star; + return(bottom) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + y_11: bitstring <- ciph_star; + c_d_11: bitstring <- aad_star; + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part2 <-R nonce_t; + part1 <-R key_t; + y_10: bitstring <- ciph_star; + c_d_10: bitstring <- aad_star; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on y_10 (definition removed, all usages removed) + - Remove assignments on c_d_10 (definition removed, all usages removed) + - Remove assignments on y_11 (definition removed, all usages removed) + - Remove assignments on c_d_11 (definition removed, all usages removed) + - Remove assignments on y_12 (definition removed, all usages removed) + - Remove assignments on c_d_12 (definition removed, all usages removed) + - Remove assignments on y_13 (definition removed, all usages removed) + - Remove assignments on c_d_13 (definition removed, all usages removed) + - Remove assignments on y_14 (definition removed, all usages removed) + - Remove assignments on c_d_14 (definition removed, all usages removed) + - Remove assignments on y_15 (definition removed, all usages removed) + - Remove assignments on c_d_15 (definition removed, all usages removed) + - Remove assignments on pt_7 (definition removed, all usages removed) + - Remove assignments on y_16 (definition removed, all usages removed) + - Remove assignments on c_d_16 (definition removed, all usages removed) + - Remove assignments on y (definition removed, all usages removed) + - Remove assignments on c_d (definition removed, all usages removed) + - Remove assignments on y_1 (definition removed, all usages removed) + - Remove assignments on c_d_1 (definition removed, all usages removed) + - Remove assignments on y_2 (definition removed, all usages removed) + - Remove assignments on c_d_2 (definition removed, all usages removed) + - Remove assignments on y_3 (definition removed, all usages removed) + - Remove assignments on c_d_3 (definition removed, all usages removed) + - Remove assignments on y_4 (definition removed, all usages removed) + - Remove assignments on c_d_4 (definition removed, all usages removed) + - Remove assignments on y_5 (definition removed, all usages removed) + - Remove assignments on c_d_5 (definition removed, all usages removed) + - Remove assignments on y_6 (definition removed, all usages removed) + - Remove assignments on c_d_6 (definition removed, all usages removed) + - Remove assignments on y_7 (definition removed, all usages removed) + - Remove assignments on c_d_7 (definition removed, all usages removed) + - Remove assignments on pt_6 (definition removed, all usages removed) + - Remove assignments on y_8 (definition removed, all usages removed) + - Remove assignments on c_d_8 (definition removed, all usages removed) + - Remove assignments on y_9 (definition removed, all usages removed) + - Remove assignments on c_d_9 (definition removed, all usages removed) + - Remove assignments on x_8 (definition removed, all usages removed) + - Remove assignments on d (definition removed, all usages removed) + - Remove assignments on ct_8 (definition kept, array references kept) +yields + +Game 48 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + r_14: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); + ct_8: bitstring <- r_14; + return(SealAuth_Some(ce_2, r_14)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + {196} find [unique] suchthat info_6 = info_5[u_6, u_7] then + {208} if defined(m[u_6, u_7], aad_8[u_6, u_7], part1_7[u_6, u_7], r_14[u_6, u_7]) && (r_14[u_6, u_7] = c) && (aad_8[u_6, u_7] = aad_9) then + return(OpenAuth_Some(Context_Open_Some(m[u_6, u_7]))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + return(OpenAuth_Some(Context_Open_None)) + else + part2_6 <-R nonce_t; + part1_6 <-R key_t; + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + return(OpenAuth_Some(Context_Open_None)) + else + {423} part2_5 <-R nonce_t; + {424} part1_5 <-R key_t; + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + {549} part2_3 <-R nonce_t; + {550} part1_3 <-R key_t; + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + {702} find [unique] suchthat info_star = info_5[u_4, i'_1] then + {708} if defined(m[u_4, i'_1], aad_8[u_4, i'_1], part1_7[u_4, i'_1], r_14[u_4, i'_1]) && (r_14[u_4, i'_1] = ciph_star) && (aad_8[u_4, i'_1] = aad_star) then + event_abort adv_wins + else + return(bottom) + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + return(bottom) + else + part2_2 <-R nonce_t; + part1_2 <-R key_t; + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + return(bottom) + else + {819} part2_1 <-R nonce_t; + {820} part1_1 <-R key_t; + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + {832} part2 <-R nonce_t; + {833} part1 <-R key_t; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Transform unused random number generation at 833 into constant assignment + - Remove random number generation at 832 + - Transform unused random number generation at 820 into constant assignment + - Remove random number generation at 819 + - Simplified find at 708 in branch of find at 702 + - Transform unused random number generation at 550 into constant assignment + - Remove random number generation at 549 + - Transform unused random number generation at 424 into constant assignment + - Remove random number generation at 423 + - Simplified find at 208 in branch of find at 196 +yields + +Game 49 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + r_14: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); + ct_8: bitstring <- r_14; + return(SealAuth_Some(ce_2, r_14)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + {165} find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + {196} find [unique] suchthat defined(m[u_6, u_7], aad_8[u_6, u_7], part1_7[u_6, u_7], r_14[u_6, u_7]) && (info_6 = info_5[u_6, u_7]) && (r_14[u_6, u_7] = c) && (aad_8[u_6, u_7] = aad_9) then + return(OpenAuth_Some(Context_Open_Some(m[u_6, u_7]))) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + return(OpenAuth_Some(Context_Open_None)) + else + {326} if info_6 = info_5[u_6, u_7] then + return(OpenAuth_Some(Context_Open_None)) + else + {343} part2_6 <-R nonce_t; + {344} part1_6 <-R key_t; + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + return(OpenAuth_Some(Context_Open_None)) + else + part1_5: key_t <- cst_key_t; + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part1_3: key_t <- cst_key_t; + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + {716} find [unique] suchthat defined(m[u_4, i'_1], aad_8[u_4, i'_1], part1_7[u_4, i'_1], r_14[u_4, i'_1]) && {725}((info_star = info_5[u_4, i'_1]) && (r_14[u_4, i'_1] = ciph_star) && (aad_8[u_4, i'_1] = aad_star)) then + event_abort adv_wins + orfind u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + return(bottom) + else + {772} if info_star = info_5[u_4, i'_1] then + return(bottom) + else + {782} part2_2 <-R nonce_t; + {783} part1_2 <-R key_t; + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + return(bottom) + else + part1_1: key_t <- cst_key_t; + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part1: key_t <- cst_key_t; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Transformed find at 772 into a test + - Transform unused random number generation at 783 into constant assignment + - Remove random number generation at 782 + - Replaced ((info_star = info_5[u_4, i'_1]) && (r_14[u_4, i'_1] = ciph_star) && (aad_8[u_4, i'_1] = aad_star)) with false at 725 + - Remove branch 1 in find at 716 + - Transformed find at 326 into a test + - Transform unused random number generation at 344 into constant assignment + - Remove random number generation at 343 + - Replaced defined condition m[u_6, u_7], aad_8[u_6, u_7], part1_7[u_6, u_7], r_14[u_6, u_7] with an empty condition in find at 196 + - Replaced defined condition part1_7[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] with m[ri_2, ri_3], aad_8[ri_2, ri_3], r_14[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3] in find at 165 +yields + +Game 50 is + (( + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_2: pkey_t, m: bitstring, aad_8: bitstring, info_5: bitstring) := + find u_8 = ri_4 <= N suchthat defined(s[ri_4]) && (pk_2 = pkgen(s[ri_4])) then + k_3 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + ce_2: kemciph_t <- AuthEncap_enc_r(k_3, pk_2, sk_2); + enc_4: kemciph_t <- ce_2; + part2_7 <-R nonce_t; + part1_7 <-R key_t; + r_14: bitstring <- Seal_inner(m, aad_8, part1_7, part2_7); + ct_8: bitstring <- r_14; + return(SealAuth_Some(ce_2, r_14)) + else + k_2 <-R kemseed_t; + sk_1: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc_r(k_2, pk_2, sk_1); + k_5: kemkey_t <- AuthEncap_key_r(k_2, pk_2, sk_1); + enc_4: kemciph_t <- ce_1; + r_3: keys_t <- KeySchedule_auth(k_5, info_5); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_8: bitstring <- Seal_inner(m, aad_8, key_6, nonce_6); + return(SealAuth_Some(ce_1, ct_8)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_3: pkey_t, enc_7: kemciph_t, c: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_6 = ri_2 <= Qeperuser, u_7 = ri_3 <= N suchthat defined(m[ri_2, ri_3], aad_8[ri_2, ri_3], r_14[ri_2, ri_3], info_5[ri_2, ri_3], ce_2[ri_2, ri_3], s[ri_3], u_8[ri_2, ri_3]) && (i = u_8[ri_2, ri_3]) && (pkgen(s[ri_3]) = pk_3) && (ce_2[ri_2, ri_3] = enc_7) then + find [unique] suchthat (info_6 = info_5[u_6, u_7]) && (r_14[u_6, u_7] = c) && (aad_8[u_6, u_7] = aad_9) then + return(OpenAuth_Some(Context_Open_Some(m[u_6, u_7]))) + orfind u_35 = ri_39 <= Qdperuser suchthat defined(part1_6[ri_39], info_6[ri_39], u_7[ri_39], u_6[ri_39]) && (u_6[ri_39] = u_6) && (u_7[ri_39] = u_7) && (info_6 = info_6[ri_39]) then + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_2, info_star, i'_1, u_4) && (u_4 = u_6) && (i'_1 = u_7) && (info_6 = info_star) then + return(OpenAuth_Some(Context_Open_None)) + else + if info_6 = info_5[u_6, u_7] then + return(OpenAuth_Some(Context_Open_None)) + else + part1_6: key_t <- cst_key_t; + return(OpenAuth_Some(Context_Open_None)) + else + find u_20 = ri_16 <= Qdperuser suchthat defined(part1_3[ri_16], info_6[ri_16], enc_7[ri_16], pk_3[ri_16]) && (pk_3[ri_16] = pk_3) && (enc_7[ri_16] = enc_7) then + find [unique] suchthat info_6 = info_6[u_20] then + return(OpenAuth_Some(Context_Open_None)) + orfind u_31 = ri_33 <= Qdperuser suchthat defined(part1_5[ri_33], info_6[ri_33], u_20[ri_33]) && (u_20[ri_33] = u_20) && (info_6 = info_6[ri_33]) then + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1_1, info_star, i''_1, u_13) && (u_13 = u_20) && (i''_1 = i) && (info_6 = info_star) then + return(OpenAuth_Some(Context_Open_None)) + else + part1_5: key_t <- cst_key_t; + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(part1, info_star, enc_star, pk_S, i''_1) && (i = i''_1) && (pk_S = pk_3) && (enc_star = enc_7) then + find [unique] u_33 = ri_37 <= Qdperuser suchthat defined(part2_4[ri_37], part1_4[ri_37], info_6[ri_37]) && (info_6 = info_6[ri_37]) then + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4[u_33], part2_4[u_33]) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_6 = info_star then + return(OpenAuth_Some(Context_Open_None)) + else + part2_4 <-R nonce_t; + part1_4 <-R key_t; + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, part1_4, part2_4) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + find u_22 = ri_18 <= N suchthat defined(s[ri_18]) && (pk_3 = pkgen(s[ri_18])) then + let AuthDecap_Some(k0: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + part1_3: key_t <- cst_key_t; + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_3) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_6: bitstring) = Open_inner(c, aad_9, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_6))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + )) + ) | ( + Ochall(pk_S: pkey_t, pk_R: pkey_t, enc_star: kemciph_t, ciph_star: bitstring, aad_star: bitstring, info_star: bitstring) := + find i'_1 = i' <= N, i''_1 = i'' <= N suchthat defined(s[i'], s[i'']) && (pkgen(s[i']) = pk_S) && (pkgen(s[i'']) = pk_R) then + find u = u_2 <= Qeperuser suchthat defined(info_5[u_2, i'_1], aad_8[u_2, i'_1], ct_8[u_2, i'_1], enc_4[u_2, i'_1], pk_2[u_2, i'_1]) && (pk_2[u_2, i'_1] = pk_R) && (enc_4[u_2, i'_1] = enc_star) && (ct_8[u_2, i'_1] = ciph_star) && (aad_8[u_2, i'_1] = aad_star) && (info_5[u_2, i'_1] = info_star) then + return(bottom) + else + find u_4 = ri <= Qeperuser suchthat defined(part1_7[ri, i'_1], info_5[ri, i'_1], ce_2[ri, i'_1], u_8[ri, i'_1]) && (i''_1 = u_8[ri, i'_1]) && (ce_2[ri, i'_1] = enc_star) then + find [unique] u_27 = ri_25 <= Qdperuser, u_28 = ri_26 <= N suchthat defined(part1_6[ri_25, ri_26], info_6[ri_25, ri_26], u_7[ri_25, ri_26], u_6[ri_25, ri_26]) && (u_6[ri_25, ri_26] = u_4) && (u_7[ri_25, ri_26] = i'_1) && (info_star = info_6[ri_25, ri_26]) then + return(bottom) + else + if info_star = info_5[u_4, i'_1] then + return(bottom) + else + part1_2: key_t <- cst_key_t; + return(bottom) + else + find u_13 = ri_9 <= Qdperuser suchthat defined(part1_3[ri_9, i''_1], info_6[ri_9, i''_1], enc_7[ri_9, i''_1], u_22[ri_9, i''_1]) && (u_22[ri_9, i''_1] = i'_1) && (enc_7[ri_9, i''_1] = enc_star) then + find [unique] suchthat info_star = info_6[u_13, i''_1] then + return(bottom) + orfind u_25 = ri_21 <= Qdperuser suchthat defined(part1_5[ri_21, i''_1], info_6[ri_21, i''_1], u_20[ri_21, i''_1]) && (u_20[ri_21, i''_1] = u_13) && (info_star = info_6[ri_21, i''_1]) then + return(bottom) + else + part1_1: key_t <- cst_key_t; + return(bottom) + else + let AuthDecap_Some(k0_1: kemkey_t) = AuthDecap(enc_star, skgen(s[i''_1]), pk_S) in + part1: key_t <- cst_key_t; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Proved event(adv_wins) ==> false in game 50 +Adv[Game 1: event(adv_wins) ==> false] <= Adv_ctxt(time_4, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec) + Adv_PRF_KeySchedule(time_3, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec + #Oaenc) + (#Oaenc * N + 11 * N^2) * P_pk_coll + Adv_Outsider_Auth(time_2, N, #Oaenc, 1 + #Oadec) + Adv_Outsider_CCA(time_1, N, #Oaenc, 1 + #Oadec) + Adv[Game 50: event(adv_wins) ==> false] +Adv[Game 50: event(adv_wins) ==> false] <= 0 +RESULT Proved event(adv_wins) ==> false up to probability Adv_ctxt(time_4, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec) + Adv_PRF_KeySchedule(time_3, 1 + #Oadec + #Oaenc, 1 + Qdperuser + #Oadec + #Oaenc) + (#Oaenc * N + 11 * N^2) * P_pk_coll + Adv_Outsider_Auth(time_2, N, #Oaenc, 1 + #Oadec) + Adv_Outsider_CCA(time_1, N, #Oaenc, 1 + #Oadec) +RESULT time_1 = time + time(context for game 10) = #Oaenc * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 10: info_5)) + (#Oaenc + #Oadec + 1) * time(get2) + (#Oaenc + #Oadec + 1) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 10: m), maxlength(game 10: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 10: ct_8)) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 10: info_6)) + #Oadec * time(Open_inner, maxlength(game 10: c), maxlength(game 10: aad_9)) + #Oadec * time(let injbot, maxlength(game 10: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 10: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 10: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 10: ct_8), maxlength(game 10: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 10: aad_8), maxlength(game 10: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 10: info_5), maxlength(game 10: info_star)) + time(KeySchedule_auth, maxlength(game 10: info_star)) + time(Open_inner, maxlength(game 10: ciph_star), maxlength(game 10: aad_star)) + time(let injbot, maxlength(game 10: pt_7)) + time +RESULT time_2 = time + time(context for game 17) = 2 * #Oaenc * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 17: info_5)) + (#Oaenc + #Oadec + 1) * time(get2) + (#Oaenc + #Oadec + 1) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 17: m), maxlength(game 17: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 17: ct_8)) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 17: info_6)) + #Oadec * time(Open_inner, maxlength(game 17: c), maxlength(game 17: aad_9)) + #Oadec * time(let injbot, maxlength(game 17: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 17: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 17: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 17: ct_8), maxlength(game 17: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 17: aad_8), maxlength(game 17: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 17: info_5), maxlength(game 17: info_star)) + time(KeySchedule_auth, maxlength(game 17: info_star)) + time(Open_inner, maxlength(game 17: ciph_star), maxlength(game 17: aad_star)) + time(let injbot, maxlength(game 17: pt_7)) + time +RESULT time_3 = time + time(context for game 27) = (N + #Oaenc * N + #Oadec * #Oaenc + #Oadec * N + 2 * N^2) * time(pkgen) + (#Oaenc + #Oadec + 1) * time(skgen) + #Oaenc * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 27: info_5)) + (#Oaenc + #Oadec + 1) * time(get2) + (#Oaenc + #Oadec + 1) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 27: m), maxlength(game 27: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 27: ct_8)) + (#Oadec + 1) * time(AuthDecap) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 27: info_6)) + #Oadec * time(Open_inner, maxlength(game 27: c), maxlength(game 27: aad_9)) + #Oadec * time(let injbot, maxlength(game 27: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 27: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 27: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 27: ct_8), maxlength(game 27: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 27: aad_8), maxlength(game 27: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 27: info_5), maxlength(game 27: info_star)) + time(Open_inner, maxlength(game 27: ciph_star), maxlength(game 27: aad_star)) + time(let injbot, maxlength(game 27: pt_7)) + time +RESULT time_4 = time + time(context for game 44) = (N + #Oaenc * N + #Oadec * #Oaenc + #Oadec * N + 2 * N^2) * time(pkgen) + (#Oaenc + #Oadec + 1) * time(skgen) + #Oaenc * time(AuthEncap_enc_r) + #Oaenc * time(AuthEncap_key_r) + #Oaenc * time(KeySchedule_auth, maxlength(game 44: info_5)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 44: m), maxlength(game 44: aad_8)) + #Oaenc * time(SealAuth_Some, maxlength(game 44: ct_8)) + #Oadec * time(= bitstring, maxlength(game 44: info_6), maxlength(game 44: info_5)) + (#Oadec + #Oadec * Qdperuser) * time(= bitstring, maxlength(game 44: info_6), maxlength(game 44: info_6)) + #Oadec * time(= bitstring, maxlength(game 44: info_6), maxlength(game 44: info_star)) + (#Oadec + 1) * time(AuthDecap) + (#Oadec + 1) * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 44: info_6)) + #Oadec * time(Open_inner, maxlength(game 44: c), maxlength(game 44: aad_9)) + #Oadec * time(let injbot, maxlength(game 44: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 44: pt_6))) + #Oadec * time(Context_Open_Some, maxlength(game 44: pt_6)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + Qeperuser * time(= bitstring, maxlength(game 44: ct_8), maxlength(game 44: ciph_star)) + Qeperuser * time(= bitstring, maxlength(game 44: aad_8), maxlength(game 44: aad_star)) + Qeperuser * time(= bitstring, maxlength(game 44: info_5), maxlength(game 44: info_star)) + time(= bitstring, maxlength(game 44: info_star), maxlength(game 44: info_5)) + (#Oadec + 1 + Qdperuser) * time(= bitstring, maxlength(game 44: info_star), maxlength(game 44: info_6)) + time(let injbot, maxlength(game 44: pt_7)) + time +All queries proved. diff --git a/hpke.auth.outsider-cca.proof b/hpke.auth.outsider-cca.proof index 5c0c4bc..014ab24 100644 --- a/hpke.auth.outsider-cca.proof +++ b/hpke.auth.outsider-cca.proof @@ -1,4060 +1,3857 @@ -Initial state -Game 1 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - return((let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in let KeySchedule_Some(ctx_6: context_t) = (let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_8: bitstring) = (let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - get E(=pk_4, =the_pk, =enc_7, =c, =aad_10, =info_7) in - return(OpenAuth_None) - else - return((info_hash: bitstring <- info_7; let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in let KeySchedule_Some(ctx_8: context_t) = (let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, pk_5, the_sk)) in let KeySchedule_Some(ctx_10: context_t) = (let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_10: bitstring) = (let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in - insert E(the_pk, pk_5, enc_star, c_star, aad_11, info_8); - return((enc_star, c_star)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand get, insert - - Expand get/insert for table E -yields - -Game 2 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - {8}let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - return({29}(let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in {41}let KeySchedule_Some(ctx_6: context_t) = {42}(let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in {79}let Context_Seal_Some(ct_8: bitstring) = {80}(let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_4) && (E_2[u_2, u_3] = the_pk) && (E_3[u_2, u_3] = enc_7) && (E_4[u_2, u_3] = c) && (E_5[u_2, u_3] = aad_10) && (E_6[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - return((info_hash: bitstring <- info_7; {194}let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in {205}let KeySchedule_Some(ctx_8: context_t) = {206}(let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({241}(let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then -{297} let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); {307}let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, pk_5, the_sk)) in {319}let KeySchedule_Some(ctx_10: context_t) = {320}(let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in {357}let Context_Seal_Some(ct_10: bitstring) = {358}(let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in - E_1: pkey_t <- the_pk; - E_2: pkey_t <- pk_5; - E_3: kemciph_t <- enc_star; - E_4: bitstring <- c_star; - E_5: bitstring <- aad_11; - E_6: bitstring <- info_8; - return((enc_star, c_star)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern (the_sk: skey_t, the_pk: pkey_t) (tuple expanded) at 8 - - Remove let at 297 - - Remove let at 307 - - Remove let at 297 - - Simplify pattern concat(key_10: key_t, nonce_12: nonce_t) (tuple expanded) at 320 - - Remove else branch of let at 320 - - Simplify pattern KeySchedule_Some(ctx_10: context_t) (tuple expanded) at 319 - - Remove else branch of let at 319 - - Simplify pattern SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) (tuple expanded) at 307 - - Remove else branch of let at 307 - - Simplify pattern Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) (tuple expanded) at 358 - - Remove else branch of let at 358 - - Simplify pattern Context_Seal_Some(ct_10: bitstring) (tuple expanded) at 357 - - Remove else branch of let at 357 - - Simplify pattern SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) (tuple expanded) at 297 - - Remove else branch of let at 297 - - Remove let at 194 - - Simplify pattern concat(key_8: key_t, nonce_9: nonce_t) (tuple expanded) at 206 - - Remove else branch of let at 206 - - Simplify pattern KeySchedule_Some(ctx_8: context_t) (tuple expanded) at 205 - - Remove else branch of let at 205 - - Simplify pattern SetupAuthR_Some(ctx_9: context_t) (tuple expanded) at 194 - - Remove else branch of let at 194 - - Simplify pattern Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) (tuple expanded) at 241 - - Remove else branch of let at 241 - - Remove let at 29 - - Simplify pattern concat(key_6: key_t, nonce_6: nonce_t) (tuple expanded) at 42 - - Remove else branch of let at 42 - - Simplify pattern KeySchedule_Some(ctx_6: context_t) (tuple expanded) at 41 - - Remove else branch of let at 41 - - Simplify pattern SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) (tuple expanded) at 29 - - Remove else branch of let at 29 - - Simplify pattern Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) (tuple expanded) at 80 - - Remove else branch of let at 80 - - Simplify pattern Context_Seal_Some(ct_8: bitstring) (tuple expanded) at 79 - - Remove else branch of let at 79 -yields - -Game 3 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ctx_6: context_t <- Context(key_6, nonce_6, nonce_zero); - ctx_7: context_t <- ctx_6; - enc_6: kemciph_t <- enc_5; - seq_3: nonce_t <- nonce_zero; - nonce_7: nonce_t <- nonce_6; - key_7: key_t <- key_6; - nonce_8: nonce_t <- xor(nonce_7, seq_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_7, nonce_8); - ct_8: bitstring <- ct_7; - return(SealAuth_Some(enc_6, ct_8)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_4) && (E_2[u_2, u_3] = the_pk) && (E_3[u_2, u_3] = enc_7) && (E_4[u_2, u_3] = c) && (E_5[u_2, u_3] = aad_10) && (E_6[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - info_hash: bitstring <- info_7; - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - ctx_8: context_t <- Context(key_8, nonce_9, nonce_zero); - ctx_9: context_t <- ctx_8; - seq_4: nonce_t <- nonce_zero; - nonce_10: nonce_t <- nonce_9; - key_9: key_t <- key_8; - nonce_11: nonce_t <- xor(nonce_10, seq_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_9, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - ctx_10: context_t <- Context(key_10, nonce_12, nonce_zero); - ctx_11: context_t <- ctx_10; - enc_9: kemciph_t <- enc_8; - seq_5: nonce_t <- nonce_zero; - nonce_13: nonce_t <- nonce_12; - key_11: key_t <- key_10; - nonce_14: nonce_t <- xor(nonce_13, seq_5); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_11, nonce_14); - ct_10: bitstring <- ct_9; - c_star: bitstring <- ct_10; - enc_star: kemciph_t <- enc_9; - E_1: pkey_t <- the_pk; - E_2: pkey_t <- pk_5; - E_3: kemciph_t <- enc_star; - E_4: bitstring <- c_star; - E_5: bitstring <- aad_11; - E_6: bitstring <- info_8; - return((enc_star, c_star)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on ctx_11 (definition removed, all usages removed) - - Remove assignments on enc_9 (definition removed, all usages removed) - - Remove assignments on nonce_13 (definition removed, all usages removed) - - Remove assignments on key_11 (definition removed, all usages removed) - - Remove assignments on ct_10 (definition removed, all usages removed) - - Remove assignments on c_star (definition removed, all usages removed) - - Remove assignments on enc_star (definition removed, all usages removed) - - Remove assignments on E_1 (definition removed, all usages removed) - - Remove assignments on E_2 (definition removed, all usages removed) - - Remove assignments on E_3 (definition removed, all usages removed) - - Remove assignments on E_4 (definition removed, all usages removed) - - Remove assignments on E_5 (definition removed, all usages removed) - - Remove assignments on E_6 (definition removed, all usages removed) - - Remove assignments on info_hash (definition removed, all usages removed) - - Remove assignments on ctx_9 (definition removed, all usages removed) - - Remove assignments on nonce_10 (definition removed, all usages removed) - - Remove assignments on key_9 (definition removed, all usages removed) - - Remove assignments on ctx_7 (definition removed, all usages removed) - - Remove assignments on enc_6 (definition removed, all usages removed) - - Remove assignments on nonce_7 (definition removed, all usages removed) - - Remove assignments on key_7 (definition removed, all usages removed) - - Remove assignments on ct_8 (definition removed, all usages removed) - - Remove assignments on ctx_10 (definition removed, all usages removed) - - Remove assignments on ctx_8 (definition removed, all usages removed) - - Remove assignments on ctx_6 (definition removed, all usages removed) -yields - -Game 4 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- {59}xor(nonce_6, seq_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := -{104} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(the_pk[u_3], pk_5[u_2, u_3], enc_8[u_2, u_3], ct_9[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], ct_9[u_2, u_3], ct_9[u_2, u_3], ct_9[u_2, u_3], ct_9[u_2, u_3], ct_9[u_2, u_3], ct_9[u_2, u_3]) && {128}((the_pk[u_3] = pk_4) && (pk_5[u_2, u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- {208}xor(nonce_9, seq_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- {314}xor(nonce_12, seq_5); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N * N * P_pk_coll] - - Simplification pass - - Replaced xor(nonce_12, seq_5) with nonce_12 at 314 - - Replaced xor(nonce_9, seq_4) with nonce_9 at 208 - - Replaced ((the_pk[u_3] = pk_4) && (pk_5[u_2, u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) with ((the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) at 128 - - Replaced defined condition the_pk[u_3], pk_5[u_2, u_3], enc_8[u_2, u_3], ct_9[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], ct_9[u_2, u_3], ct_9[u_2, u_3], ct_9[u_2, u_3], ct_9[u_2, u_3], ct_9[u_2, u_3], ct_9[u_2, u_3] with info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3] in find at 104 - - Replaced xor(nonce_6, seq_3) with nonce_6 at 59 -yields - -Game 5 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - seq_4: nonce_t <- nonce_zero; - nonce_11: nonce_t <- nonce_9; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - pt_8: bitstring <- test(b, m0, m1); - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to pt_8 - - Move assignment to seq_4 -yields - -Game 6 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - seq_3: nonce_t <- nonce_zero; - nonce_8: nonce_t <- nonce_6; - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - nonce_11: nonce_t <- nonce_9; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - seq_5: nonce_t <- nonce_zero; - nonce_14: nonce_t <- nonce_12; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on seq_5 (definition removed, all usages removed) - - Remove assignments on nonce_14 (definition removed, all usages removed) - - Remove assignments on nonce_11 (definition removed, all usages removed) - - Remove assignments on seq_3 (definition removed, all usages removed) - - Remove assignments on nonce_8 (definition removed, all usages removed) -yields - -Game 7 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - the_sk: skey_t <- skgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of binder the_sk - - Remove assignments on the_sk (definition removed, all usages removed) -yields - -Game 8 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - the_pk: pkey_t <- pkgen(s); - return(the_pk); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of binder the_pk - - Remove assignments on the_pk (definition removed, all usages removed) -yields - -Game 9 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i'], s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence outsider_cca(AuthEncap) with variables: s -> s_1 [probability Adv_Outsider_CCA(time(context for game 9) + time, N, #Ochall + #Oaenc, #Oadec)] - - Equivalence outsider_cca(AuthEncap) with variables: k_3 -> ks, k_2 -> ks, s -> s_1 -yields - -Game 10 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - k'_1 <-R kemkey_t; - {22} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (pk_R: pkey_t <- pk_3; find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_R = pkgen(s[ri_5])) then let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_R, skgen(s)) in k': kemkey_t <- cst_kemkey_t; AuthEncap_tuple(k'_1, ce) else AuthEncap_None else AuthEncap_r(k_2, pk_R, skgen(s))) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else -{182} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S: pkey_t <- pk_4; cd: kemciph_t <- enc_7; find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], s[ri_4], pk_R[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4]) && (pkgen(s) = pk_R[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_S) && (ce[ri_3, ri_4] = cd) then AuthDecap_Some(k'_1[u_7, u_8]) orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], s[ri_2], pk_R_1[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2]) && (pkgen(s) = pk_R_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_S) && (ce_1[ri_1, ri_2] = cd) then AuthDecap_Some(k'_3[u_5, u_6]) else AuthDecap(cd, skgen(s), pk_S)) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - k'_3 <-R kemkey_t; -{359} let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (pk_R_1: pkey_t <- pk_5; {364}find u_4 = ri <= N suchthat defined(s[ri]) && (pk_R_1 = pkgen(s[ri])) then let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_R_1, skgen(s)) in k'_2: kemkey_t <- cst_kemkey_t; AuthEncap_tuple(k'_3, ce_1) else AuthEncap_None else AuthEncap_r(k_3, pk_R_1, skgen(s))) in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand [probability N * N * P_pk_coll] - - Expand if/find/let - - Remove else branch of find at 364 - - Simplify pattern AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) (tuple expanded) at 359 - - Remove else branch of let at 359 - - A single branch always succeeds in find at 364 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 182 - - Remove else branch of let at 182 - - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 182 - - Remove else branch of let at 182 - - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) (tuple expanded) at 22 - - Remove else branch of let at 22 -yields - -Game 11 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - k'_1 <-R kemkey_t; - pk_R: pkey_t <- pk_3; - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_R = pkgen(s[ri_5])) then - let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_R, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - enc_5: kemciph_t <- ce; - shared_secret_3: kemkey_t <- k'_1; - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_R, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - pk_S: pkey_t <- pk_4; - cd: kemciph_t <- enc_7; - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], s[ri_4], pk_R[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4]) && (pkgen(s) = pk_R[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_S) && (ce[ri_3, ri_4] = cd) then - shared_secret_4: kemkey_t <- k'_1[u_7, u_8]; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], s[ri_2], pk_R_1[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2]) && (pkgen(s) = pk_R_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_S) && (ce_1[ri_1, ri_2] = cd) then - shared_secret_4: kemkey_t <- k'_3[u_5, u_6]; - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd, skgen(s), pk_S) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - k'_3 <-R kemkey_t; - pk_R_1: pkey_t <- pk_5; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_R_1, skgen(s)) in - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - shared_secret_5: kemkey_t <- k'_3; - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on pk_R_1 (definition removed, all usages removed) - - Remove assignments on shared_secret_5 (definition removed, all usages removed) - - Remove assignments on enc_8 (definition kept, array references kept) - - Remove assignments on pk_S (definition removed, all usages removed) - - Remove assignments on cd (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on shared_secret_4 (definition removed, all usages removed) - - Remove assignments on pk_R (definition removed, all usages removed) - - Remove assignments on enc_5 (definition removed, all usages removed) - - Remove assignments on shared_secret_3 (definition removed, all usages removed) -yields - -Game 12 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - k'_1 <-R kemkey_t; - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else -{269} find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(pk_3[ri_3, ri_4], k'_1[ri_3, ri_4], k'[ri_3, ri_4], s[ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4]) && {281}((pkgen(s) = pk_3[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7)) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(pk_5[ri_1, ri_2], k'_3[ri_1, ri_2], k'_2[ri_1, ri_2], s[ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2]) && {367}((pkgen(s) = pk_5[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7)) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - k'_3 <-R kemkey_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify [probability N * N * P_pk_coll] - - Simplification pass - - Replaced ((pkgen(s) = pk_5[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7)) with ((i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7)) at 367 - - Replaced defined condition pk_5[ri_1, ri_2], k'_3[ri_1, ri_2], k'_2[ri_1, ri_2], s[ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2] with k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] in find at 269 - - Replaced ((pkgen(s) = pk_3[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7)) with ((i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7)) at 281 - - Replaced defined condition pk_3[ri_3, ri_4], k'_1[ri_3, ri_4], k'[ri_3, ri_4], s[ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4] with k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4] in find at 269 -yields - -Game 13 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - k_2 <-R kemseed_t; - k'_1 <-R kemkey_t; - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - else - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - k'_3 <-R kemkey_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((enc_8, ct_9)) - else - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move random number generation k'_3 - - Move random number generation k'_1 - - Move random number generation k_2 -yields - -Game 14 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_2 <-R kemseed_t; - let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_2 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - k'_3 <-R kemkey_t; - return((enc_8, ct_9)) - else - k'_3 <-R kemkey_t; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Rename variable k_2 into k_7, k_6 -yields - -Game 15 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_7, pk_3, skgen(s)) in - k': kemkey_t <- cst_kemkey_t; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_6 <-R kemseed_t; - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_6, pk_3, skgen(s)) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - k'_3 <-R kemkey_t; - return((enc_8, ct_9)) - else - k'_3 <-R kemkey_t; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence eliminate_failing(AuthEncap) - - Equivalence eliminate_failing(AuthEncap) -yields - -Game 16 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - {30} let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = (k_9: kemseed_t <- k_7; pk_7: pkey_t <- pk_3; sk_3: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key(k_9, pk_7, sk_3), AuthEncap_enc(k_9, pk_7, sk_3))) in - k': kemkey_t <- cst_kemkey_t; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - else - k_6 <-R kemseed_t; -{169} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_8: kemseed_t <- k_6; pk_6: pkey_t <- pk_3; sk_2: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key(k_8, pk_6, sk_2), AuthEncap_enc(k_8, pk_6, sk_2))) in - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - else - k'_1 <-R kemkey_t; - return(SealAuth_None) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else -{320} find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; -{572} let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = (k_10: kemseed_t <- k_3; pk_8: pkey_t <- pk_5; sk_4: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key(k_10, pk_8, sk_4), AuthEncap_enc(k_10, pk_8, sk_4))) in - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in - r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - k'_3 <-R kemkey_t; - return((enc_8, ct_9)) - else - k'_3 <-R kemkey_t; - return(bottom) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Simplify pattern AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) (tuple expanded) at 572 - - Remove else branch of let at 572 - - Replaced defined condition k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] with k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] in find at 320 - - Replaced defined condition k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4] with k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4] in find at 320 - - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) (tuple expanded) at 169 - - Remove else branch of let at 169 - - Simplify pattern AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) (tuple expanded) at 30 - - Remove else branch of let at 30 -yields - -Game 17 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - k_9: kemseed_t <- k_7; - pk_7: pkey_t <- pk_3; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_9, pk_7, sk_3); - k_4: kemkey_t <- AuthEncap_key(k_9, pk_7, sk_3); - k': kemkey_t <- cst_kemkey_t; - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - k_8: kemseed_t <- k_6; - pk_6: pkey_t <- pk_3; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_8, pk_6, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_8, pk_6, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - k_10: kemseed_t <- k_3; - pk_8: pkey_t <- pk_5; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_10, pk_8, sk_4); - k_5: kemkey_t <- AuthEncap_key(k_10, pk_8, sk_4); - k'_2: kemkey_t <- cst_kemkey_t; - enc_8: kemciph_t <- ce_1; - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on k_10 (definition removed, all usages removed) - - Remove assignments on pk_8 (definition removed, all usages removed) - - Remove assignments on k_5 (definition removed, all usages removed) - - Remove assignments on k'_2 (definition removed, all usages removed) - - Remove assignments on enc_8 (definition removed, all usages removed) - - Remove assignments on k_8 (definition removed, all usages removed) - - Remove assignments on pk_6 (definition removed, all usages removed) - - Remove assignments on k_9 (definition removed, all usages removed) - - Remove assignments on pk_7 (definition removed, all usages removed) - - Remove assignments on k_4 (definition removed, all usages removed) - - Remove assignments on k' (definition removed, all usages removed) -yields - -Game 18 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := -{175} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], ce_1[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition ce_1[u_2, u_3], ce_1[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3], s[u_3] with info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3] in find at 175 -yields - -Game 19 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_1 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_1, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - k'_1 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying SA rename k'_1 - - Rename variable k'_1 into k'_5, k'_4 -yields - -Game 20 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); -{153} k'_5 <-R kemkey_t; - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Remove random number generation at 153 -yields - -Game 21 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3 <-R kemkey_t; - r_5: keys_t <- KeySchedule_auth(k'_3, info_8); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence prf(KeySchedule_auth) with k'_3 [probability Adv_PRF_KeySchedule(time(context for game 21) + time, #Ochall, #Ochall + #Oadec)] - - Equivalence prf(KeySchedule_auth) with variables: k'_3 -> k_1 -yields - -Game 22 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(u_6, u_6[ri_12, ri_13], u_5, u_5[ri_12, ri_13], x[ri_12, ri_13], r_6[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (x = x[ri_12, ri_13]) then r_6[u_12, u_13] orfind suchthat defined(x_1[u_5, u_6], r_7[u_5, u_6]) && (x = x_1[u_5, u_6]) then r_7[u_5, u_6] else r_6 <-R keys_t; r_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3: kemkey_t <- cst_kemkey_t; - r_5: keys_t <- (x_1: bitstring <- info_8; {575}find [unique] u_10 = ri_8 <= Qdperuser, u_11 = ri_9 <= N suchthat defined(u_6[ri_8, ri_9], u_5[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9]) && {584}((u_5[ri_8, ri_9] = ic) && (u_6[ri_8, ri_9] = i) && (x_1 = x[ri_8, ri_9])) then r_6[u_10, u_11] orfind suchthat defined(x_1, r_7) && {614}(x_1 = x_1) then r_7 else r_7 <-R keys_t; r_7); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify (non-expanded game) - - Simplification pass - - Replaced (x_1 = x_1) with true at 614 - - Replaced ((u_5[ri_8, ri_9] = ic) && (u_6[ri_8, ri_9] = i) && (x_1 = x[ri_8, ri_9])) with false at 584 - - Remove branch 1 in find at 575 -yields - -Game 23 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - r_4: keys_t <- (x: bitstring <- info_7; {349}find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(u_6, u_6[ri_12, ri_13], u_5, u_5[ri_12, ri_13], x[ri_12, ri_13], r_6[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (x = x[ri_12, ri_13]) then r_6[u_12, u_13] orfind suchthat defined(x_1[u_5, u_6], r_7[u_5, u_6]) && (x = x_1[u_5, u_6]) then r_7[u_5, u_6] else r_6 <-R keys_t; r_6); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3: kemkey_t <- cst_kemkey_t; - r_5: keys_t <- (x_1: bitstring <- info_8; {575}if defined(x_1, r_7) then r_7 else r_7 <-R keys_t; r_7); - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Remove branch 1 in find at 575 - - Find at 575 removed (else branch kept if any) - - Replaced defined condition u_6, u_6[ri_12, ri_13], u_5, u_5[ri_12, ri_13], x[ri_12, ri_13], r_6[ri_12, ri_13] with u_6[ri_12, ri_13], u_5[ri_12, ri_13], x[ri_12, ri_13], r_6[ri_12, ri_13] in find at 349 -yields - -Game 24 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - x: bitstring <- info_7; - find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(u_6[ri_12, ri_13], u_5[ri_12, ri_13], x[ri_12, ri_13], r_6[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (x = x[ri_12, ri_13]) then - r_4: keys_t <- r_6[u_12, u_13]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(x_1[u_5, u_6], r_7[u_5, u_6]) && (x = x_1[u_5, u_6]) then - r_4: keys_t <- r_7[u_5, u_6]; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - r_4: keys_t <- r_6; - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - k'_3: kemkey_t <- cst_kemkey_t; - x_1: bitstring <- info_8; - r_7 <-R keys_t; - r_5: keys_t <- r_7; - nonce_12: nonce_t <- get2(r_5); - key_10: key_t <- get1(r_5); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on k'_3 (definition removed, all usages removed) - - Remove assignments on x_1 (definition removed, all usages removed) - - Remove assignments on r_5 (definition removed, all usages removed) - - Remove assignments on x (definition point kept, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) - - Remove assignments on r_4 (definition removed, all usages removed) -yields - -Game 25 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else -{235} find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(ce_1[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - x: bitstring <- cst_bitstring; -{346} find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(info_7[ri_12, ri_13], x[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13], r_6[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (info_7 = info_7[ri_12, ri_13]) then - nonce_9: nonce_t <- get2(r_6[u_12, u_13]); - key_8: key_t <- get1(r_6[u_12, u_13]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(info_8[u_5, u_6], ce_1[u_5, u_6], r_7[u_5, u_6]) && (info_7 = info_8[u_5, u_6]) then - nonce_9: nonce_t <- get2(r_7[u_5, u_6]); - key_8: key_t <- get1(r_7[u_5, u_6]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition info_8[u_5, u_6], ce_1[u_5, u_6], r_7[u_5, u_6] with an empty condition in find at 346 - - In branch 1 of find at 346, substituting u_13 with i - - Replaced defined condition info_7[ri_12, ri_13], x[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13], r_6[ri_12, ri_13] with r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12] in find at 346 - - Replaced defined condition ce_1[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] with r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] in find at 235 -yields - -Game 26 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - x: bitstring <- cst_bitstring; - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - u_13 <= N <- i; - nonce_9: nonce_t <- get2(r_6[u_12]); - key_8: key_t <- get1(r_6[u_12]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - nonce_9: nonce_t <- get2(r_7[u_5, u_6]); - key_8: key_t <- get1(r_7[u_5, u_6]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying move all binders - - Move assignment to x -yields - -Game 27 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - u_13 <= N <- i; - nonce_9: nonce_t <- get2(r_6[u_12]); - key_8: key_t <- get1(r_6[u_12]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - nonce_9: nonce_t <- get2(r_7[u_5, u_6]); - key_8: key_t <- get1(r_7[u_5, u_6]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on u_13 (definition removed, all usages removed) -yields - -Game 28 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - nonce_9: nonce_t <- get2(r_6[u_12]); - key_8: key_t <- get1(r_6[u_12]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - nonce_9: nonce_t <- get2(r_7[u_5, u_6]); - key_8: key_t <- get1(r_7[u_5, u_6]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - r_7 <-R keys_t; - nonce_12: nonce_t <- get2(r_7); - key_10: key_t <- get1(r_7); - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_7 -> r -yields - -Game 29 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - nonce_9: nonce_t <- get2(r_6[u_12]); - key_8: key_t <- get1(r_6[u_12]); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - nonce_9: nonce_t <- part2[u_5, u_6]; - key_8: key_t <- part1[u_5, u_6]; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - r_6 <-R keys_t; - nonce_9: nonce_t <- get2(r_6); - key_8: key_t <- get1(r_6); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence splitter(split) - - Equivalence splitter(split) with variables: r_6 -> r -yields - -Game 30 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - nonce_9: nonce_t <- part2_1[u_12]; - key_8: key_t <- part1_1[u_12]; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - nonce_9: nonce_t <- part2[u_5, u_6]; - key_8: key_t <- part1[u_5, u_6]; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - r_6: keys_t <- cst_keys_t; - nonce_9: nonce_t <- part2_1; - key_8: key_t <- part1_1; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - r_7: keys_t <- cst_keys_t; - nonce_12: nonce_t <- part2; - key_10: key_t <- part1; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on r_7 (definition removed, all usages removed) - - Remove assignments on nonce_12 (definition removed, all usages removed) - - Remove assignments on key_10 (definition removed, all usages removed) - - Remove assignments on r_6 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) - - Remove assignments on nonce_9 (definition removed, all usages removed) - - Remove assignments on key_8 (definition removed, all usages removed) -yields - -Game 31 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else -{235} find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then -{350} find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1[u_5, u_6], part2[u_5, u_6]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition part2_1[ri_12], part1_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12] with part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12] in find at 350 - - Replaced defined condition part2[ri_1, ri_2], part1[ri_1, ri_2], part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] with part2[ri_1, ri_2], part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] in find at 235 -yields - -Game 32 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1[u_5, u_6], part2[u_5, u_6]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence int_ctxt(Seal_inner) with part1 [probability Adv_ctxt(time(context for game 32) + time, #Ochall, #Oadec)] - - Equivalence int_ctxt(Seal_inner) with variables: part2 -> n, part1 -> k_1 -yields - -Game 33 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then -{422} let injbot(pt_7: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_10; if defined(x_2[u_5, u_6], d[u_5, u_6], r_8[u_5, u_6]) && (r_8[u_5, u_6] = y) && (d[u_5, u_6] = c_d) then injbot(x_2[u_5, u_6]) else bottom) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - ct_9: bitstring <- (x_2: bitstring <- pt_8; d: bitstring <- aad_11; r_8: bitstring <- Seal_inner(x_2, d, part1, part2); r_8); - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let - - Remove let at 422 - - Simplify pattern injbot(pt_7: bitstring) (tuple expanded) at 422 - - Remove else branch of let at 422 -yields - -Game 34 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then - y: bitstring <- c; - c_d: bitstring <- aad_10; - if defined(x_2[u_5, u_6], d[u_5, u_6], r_8[u_5, u_6]) && (r_8[u_5, u_6] = y) && (d[u_5, u_6] = c_d) then - pt_7: bitstring <- x_2[u_5, u_6]; - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - x_2: bitstring <- pt_8; - d: bitstring <- aad_11; - r_8: bitstring <- Seal_inner(x_2, d, part1, part2); - ct_9: bitstring <- r_8; - return((ce_1, ct_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_2 (definition removed, all usages removed) - - Remove assignments on d (definition removed, all usages removed) - - Remove assignments on ct_9 (definition removed, all usages removed) - - Remove assignments on y (definition removed, all usages removed) - - Remove assignments on c_d (definition removed, all usages removed) - - Remove assignments on pt_7 (definition removed, all usages removed) -yields - -Game 35 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := -{174} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], r_8[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then -{348} find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat info_7 = info_8[u_5, u_6] then -{424} if defined(pt_8[u_5, u_6], aad_11[u_5, u_6], pt_8[u_5, u_6], pt_8[u_5, u_6], r_8[u_5, u_6]) && (r_8[u_5, u_6] = c) && (aad_11[u_5, u_6] = aad_10) then - return(OpenAuth_Some(Context_Open_Some(pt_8[u_5, u_6]))) - else - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - return((ce_1, r_8)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Simplified find at 424 in branch of find at 348 - - Replaced defined condition r_8[u_2, u_3], r_8[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3] with info_8[u_2, u_3], aad_11[u_2, u_3], r_8[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3] in find at 174 -yields - -Game 36 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], r_8[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then -{346} find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind suchthat defined(pt_8[u_5, u_6], aad_11[u_5, u_6], pt_8[u_5, u_6], pt_8[u_5, u_6], r_8[u_5, u_6]) && {441}((info_7 = info_8[u_5, u_6]) && (r_8[u_5, u_6] = c) && (aad_11[u_5, u_6] = aad_10)) then - return(OpenAuth_Some(Context_Open_Some(pt_8[u_5, u_6]))) - else -{488} if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - return((ce_1, r_8)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Transformed find at 488 into a test - - Replaced ((info_7 = info_8[u_5, u_6]) && (r_8[u_5, u_6] = c) && (aad_11[u_5, u_6] = aad_10)) with false at 441 - - Remove branch 2 in find at 346 -yields - -Game 37 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], r_8[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2 <-R nonce_t; - part1 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); - return((ce_1, r_8)) - else - return(bottom) - else - return(bottom) - )) - - -Applying equivalence ind_cpa(Seal_inner) [probability Adv_cpa(time(context for game 37) + time, #Ochall)] - - Equivalence ind_cpa(Seal_inner) with variables: part2 -> n, part1 -> k_1 -yields - -Game 38 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], r_8[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - part1: key_t <- cst_key_t; - pt_8: bitstring <- test(b, m0, m1); - r_8: bitstring <- (x_3: bitstring <- pt_8; d_1: bitstring <- aad_11; r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); r_9); - return((ce_1, r_8)) - else - return(bottom) - else - return(bottom) - )) - - -Applying expand - - Expand if/find/let -yields - -Game 39 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], r_8[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - part1: key_t <- cst_key_t; - pt_8: bitstring <- test(b, m0, m1); - x_3: bitstring <- pt_8; - d_1: bitstring <- aad_11; - r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); - r_8: bitstring <- r_9; - return((ce_1, r_8)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on part1 (definition removed, all usages removed) - - Remove assignments on x_3 (definition removed, all usages removed) - - Remove assignments on d_1 (definition removed, all usages removed) - - Remove assignments on r_8 (definition removed, all usages removed) -yields - -Game 40 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := -{174} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_9[u_2, u_3], r_9[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1_2[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_9: bitstring <- {573}enc'(Length(pt_8), aad_11, part1_2, part2_2); - return((ce_1, r_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying simplify - - Simplification pass - - Replaced enc'(Length(pt_8), aad_11, part1_2, part2_2) with enc'(Length(m0), aad_11, part1_2, part2_2) at 573 - - Replaced defined condition r_9[u_2, u_3], r_9[u_2, u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3] with info_8[u_2, u_3], aad_11[u_2, u_3], r_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3] in find at 174 -yields - -Game 41 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], r_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1_2[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - pt_8: bitstring <- test(b, m0, m1); - r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); - return((ce_1, r_9)) - else - return(bottom) - else - return(bottom) - )) - - -Applying remove assignments of findcond - - Remove assignments on pt_8 (definition removed, all usages removed) -yields - -Game 42 is - Ostart() := - b <-R bool; - return(); - foreach i <= N do - Osetup() := - s <-R keypairseed_t; - return(pkgen(s)); - (( - foreach iae <= Qeperuser do - Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := - find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then - k_7 <-R kemseed_t; - sk_3: skey_t <- skgen(s); - ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); - k'_4 <-R kemkey_t; - r_3: keys_t <- KeySchedule_auth(k'_4, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(ce, ct_7)) - else - k_6 <-R kemseed_t; - sk_2: skey_t <- skgen(s); - enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); - shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); - r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); - nonce_6: nonce_t <- get2(r_3); - key_6: key_t <- get1(r_3); - ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); - return(SealAuth_Some(enc_5, ct_7)) - ) | ( - foreach iad <= Qdperuser do - Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := - find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], r_9[u_2, u_3], ce_1[u_2, u_3], i'_1[u_2, u_3], s[u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then - return(OpenAuth_None) - else - find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then - r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1_2[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then - find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - if info_7 = info_8[u_5, u_6] then - return(OpenAuth_Some(Context_Open_None)) - else - part2_1 <-R nonce_t; - part1_1 <-R key_t; - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in - r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); - nonce_9: nonce_t <- get2(r_4); - key_8: key_t <- get1(r_4); - let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in - return(OpenAuth_Some(Context_Open_Some(pt_7))) - else - return(OpenAuth_Some(Context_Open_None)) - else - return(OpenAuth_None) - ) | ( - foreach ic <= Qcperuser do - Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := - find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then - if Length(m0) = Length(m1) then - k_3 <-R kemseed_t; - sk_4: skey_t <- skgen(s); - ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); - part2_2 <-R nonce_t; - part1_2 <-R key_t; - r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); - return((ce_1, r_9)) - else - return(bottom) - else - return(bottom) - )) - - -Proved secrecy of b in game 42 -Adv[Game 1: secrecy of b] <= 2 * Adv_cpa(time_1, #Ochall) + 2 * Adv_ctxt(time_2, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_3, #Ochall, #Ochall + #Oadec) + 2 * Adv_Outsider_CCA(time_4, N, #Ochall + #Oaenc, #Oadec) + 6 * N * N * P_pk_coll + Adv[Game 42: secrecy of b] -Adv[Game 42: secrecy of b] <= 0 -RESULT Proved secrecy of b up to probability 2 * Adv_cpa(time_1, #Ochall) + 2 * Adv_ctxt(time_2, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_3, #Ochall, #Ochall + #Oadec) + 2 * Adv_Outsider_CCA(time_4, N, #Ochall + #Oaenc, #Oadec) + 6 * N * N * P_pk_coll -RESULT time_1 = time(context for game 37) + time -RESULT time_2 = time(context for game 32) + time -RESULT time_3 = time(context for game 21) + time -RESULT time_4 = time(context for game 9) + time -RESULT time(context for game 9) = (#Oaenc + #Ochall) * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 9: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 9: m), maxlength(game 9: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 9: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 9: ct_9), maxlength(game 9: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 9: aad_11), maxlength(game 9: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 9: info_8), maxlength(game 9: info_7)) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 9: info_7)) + #Oadec * time(Open_inner, maxlength(game 9: c), maxlength(game 9: aad_10)) + #Oadec * time(let injbot, maxlength(game 9: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 9: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 9: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 9: m0)), length(Length, maxlength(game 9: m1))) + #Ochall * time(Length, maxlength(game 9: m1)) + #Ochall * time(Length, maxlength(game 9: m0)) + #Ochall * time(KeySchedule_auth, maxlength(game 9: info_8)) + #Ochall * time(test, maxlength(game 9: m0), maxlength(game 9: m1)) + #Ochall * time(Seal_inner, maxlength(game 9: pt_8), maxlength(game 9: aad_11)) -RESULT time(context for game 21) = (N + #Oaenc * N + #Oadec * #Oaenc + 2 * #Oadec * #Ochall + #Ochall * N) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc) + #Oaenc * time(AuthEncap_key) + #Oaenc * time(KeySchedule_auth, maxlength(game 21: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 21: m), maxlength(game 21: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 21: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 21: ct_9), maxlength(game 21: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 21: aad_11), maxlength(game 21: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 21: info_8), maxlength(game 21: info_7)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 21: info_7)) + #Oadec * time(Open_inner, maxlength(game 21: c), maxlength(game 21: aad_10)) + #Oadec * time(let injbot, maxlength(game 21: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 21: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 21: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 21: m0)), length(Length, maxlength(game 21: m1))) + #Ochall * time(Length, maxlength(game 21: m1)) + #Ochall * time(Length, maxlength(game 21: m0)) + #Ochall * time(test, maxlength(game 21: m0), maxlength(game 21: m1)) + #Ochall * time(Seal_inner, maxlength(game 21: pt_8), maxlength(game 21: aad_11)) -RESULT time(context for game 32) = (N + #Oaenc * N + #Oadec * #Oaenc + 2 * #Oadec * #Ochall + #Ochall * N) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc) + #Oaenc * time(AuthEncap_key) + #Oaenc * time(KeySchedule_auth, maxlength(game 32: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 32: m), maxlength(game 32: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 32: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 32: ct_9), maxlength(game 32: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 32: aad_11), maxlength(game 32: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 32: info_8), maxlength(game 32: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 32: info_7), maxlength(game 32: info_7)) + #Oadec * time(= bitstring, maxlength(game 32: info_7), maxlength(game 32: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 32: info_7)) + #Oadec * time(Open_inner, maxlength(game 32: c), maxlength(game 32: aad_10)) + #Oadec * time(let injbot, maxlength(game 32: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 32: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 32: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 32: m0)), length(Length, maxlength(game 32: m1))) + #Ochall * time(Length, maxlength(game 32: m1)) + #Ochall * time(Length, maxlength(game 32: m0)) + #Ochall * time(test, maxlength(game 32: m0), maxlength(game 32: m1)) -RESULT time(context for game 37) = (N + #Oaenc * N + #Oadec * #Oaenc + 2 * #Oadec * #Ochall + #Ochall * N) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc) + #Oaenc * time(AuthEncap_key) + #Oaenc * time(KeySchedule_auth, maxlength(game 37: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 37: m), maxlength(game 37: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 37: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 37: r_8), maxlength(game 37: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 37: aad_11), maxlength(game 37: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 37: info_8), maxlength(game 37: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 37: info_7), maxlength(game 37: info_7)) + #Oadec * time(= bitstring, maxlength(game 37: info_7), maxlength(game 37: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 37: info_7)) + #Oadec * time(Open_inner, maxlength(game 37: c), maxlength(game 37: aad_10)) + #Oadec * time(let injbot, maxlength(game 37: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 37: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 37: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 37: m0)), length(Length, maxlength(game 37: m1))) + #Ochall * time(Length, maxlength(game 37: m1)) + #Ochall * time(Length, maxlength(game 37: m0)) + #Ochall * time(test, maxlength(game 37: m0), maxlength(game 37: m1)) -All queries proved. +Initial state +Game 1 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + return((let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in let KeySchedule_Some(ctx_6: context_t) = (let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_8: bitstring) = (let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + get E(=pk_4, =the_pk, =enc_7, =c, =aad_10, =info_7) in + return(OpenAuth_None) + else + return((info_hash: bitstring <- info_7; let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in let KeySchedule_Some(ctx_8: context_t) = (let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some((let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, pk_5, the_sk)) in let KeySchedule_Some(ctx_10: context_t) = (let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in let Context_Seal_Some(ct_10: bitstring) = (let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in + insert E(the_pk, pk_5, enc_star, c_star, aad_11, info_8); + return((enc_star, c_star)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand get, insert and prove unique annotations + - Expand get/insert for table E +yields + +Game 2 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + {8}let (the_sk: skey_t, the_pk: pkey_t) = (s <-R keypairseed_t; (skgen(s), pkgen(s))) in + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + return({29}(let SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) = (let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_2 <-R kemseed_t; AuthEncap_r(k_2, pk_3, the_sk)) in {41}let KeySchedule_Some(ctx_6: context_t) = {42}(let concat(key_6: key_t, nonce_6: nonce_t) = (r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); concat(get1(r_3), get2(r_3))) in KeySchedule_Some(Context(key_6, nonce_6, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_5, ctx_6) else SetupAuthS_None else SetupAuthS_None) in {79}let Context_Seal_Some(ct_8: bitstring) = {80}(let Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) = ctx_7 in ct_7: bitstring <- (nonce_8: nonce_t <- xor(nonce_7, seq_3); Seal_inner(m, aad_9, key_7, nonce_8)); Context_Seal_Some(ct_7) else Context_Seal_None) in SealAuth_Some(enc_6, ct_8) else SealAuth_None else SealAuth_None)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_4) && (E_2[u_2, u_3] = the_pk) && (E_3[u_2, u_3] = enc_7) && (E_4[u_2, u_3] = c) && (E_5[u_2, u_3] = aad_10) && (E_6[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + return((info_hash: bitstring <- info_7; {194}let SetupAuthR_Some(ctx_9: context_t) = (let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in {205}let KeySchedule_Some(ctx_8: context_t) = {206}(let concat(key_8: key_t, nonce_9: nonce_t) = (r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); concat(get1(r_4), get2(r_4))) in KeySchedule_Some(Context(key_8, nonce_9, nonce_zero)) else KeySchedule_None) in SetupAuthR_Some(ctx_8) else SetupAuthR_None else SetupAuthR_None) in OpenAuth_Some({241}(let Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) = ctx_9 in let injbot(pt_7: bitstring) = (nonce_11: nonce_t <- xor(nonce_10, seq_4); Open_inner(c, aad_10, key_9, nonce_11)) in Context_Open_Some(pt_7) else Context_Open_None else Context_Open_None)) else OpenAuth_None)) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then +{297} let SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) = (pt_8: bitstring <- test(b, m0, m1); {307}let SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) = (let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (k_3 <-R kemseed_t; AuthEncap_r(k_3, pk_5, the_sk)) in {319}let KeySchedule_Some(ctx_10: context_t) = {320}(let concat(key_10: key_t, nonce_12: nonce_t) = (r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); concat(get1(r_5), get2(r_5))) in KeySchedule_Some(Context(key_10, nonce_12, nonce_zero)) else KeySchedule_None) in SetupAuthS_Some(enc_8, ctx_10) else SetupAuthS_None else SetupAuthS_None) in {357}let Context_Seal_Some(ct_10: bitstring) = {358}(let Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) = ctx_11 in ct_9: bitstring <- (nonce_14: nonce_t <- xor(nonce_13, seq_5); Seal_inner(pt_8, aad_11, key_11, nonce_14)); Context_Seal_Some(ct_9) else Context_Seal_None) in SealAuth_Some(enc_9, ct_10) else SealAuth_None else SealAuth_None) in + E_1: pkey_t <- the_pk; + E_2: pkey_t <- pk_5; + E_3: kemciph_t <- enc_star; + E_4: bitstring <- c_star; + E_5: bitstring <- aad_11; + E_6: bitstring <- info_8; + return((enc_star, c_star)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern (the_sk: skey_t, the_pk: pkey_t) (tuple expanded) at 8 + - Remove let at 297 + - Remove let at 307 + - Remove let at 297 + - Simplify pattern concat(key_10: key_t, nonce_12: nonce_t) (tuple expanded) at 320 + - Remove else branch of let at 320 + - Simplify pattern KeySchedule_Some(ctx_10: context_t) (tuple expanded) at 319 + - Remove else branch of let at 319 + - Simplify pattern SetupAuthS_Some(enc_9: kemciph_t, ctx_11: context_t) (tuple expanded) at 307 + - Remove else branch of let at 307 + - Simplify pattern Context(key_11: key_t, nonce_13: nonce_t, seq_5: nonce_t) (tuple expanded) at 358 + - Remove else branch of let at 358 + - Simplify pattern Context_Seal_Some(ct_10: bitstring) (tuple expanded) at 357 + - Remove else branch of let at 357 + - Simplify pattern SealAuth_Some(enc_star: kemciph_t, c_star: bitstring) (tuple expanded) at 297 + - Remove else branch of let at 297 + - Remove let at 194 + - Simplify pattern concat(key_8: key_t, nonce_9: nonce_t) (tuple expanded) at 206 + - Remove else branch of let at 206 + - Simplify pattern KeySchedule_Some(ctx_8: context_t) (tuple expanded) at 205 + - Remove else branch of let at 205 + - Simplify pattern SetupAuthR_Some(ctx_9: context_t) (tuple expanded) at 194 + - Remove else branch of let at 194 + - Simplify pattern Context(key_9: key_t, nonce_10: nonce_t, seq_4: nonce_t) (tuple expanded) at 241 + - Remove else branch of let at 241 + - Remove let at 29 + - Simplify pattern concat(key_6: key_t, nonce_6: nonce_t) (tuple expanded) at 42 + - Remove else branch of let at 42 + - Simplify pattern KeySchedule_Some(ctx_6: context_t) (tuple expanded) at 41 + - Remove else branch of let at 41 + - Simplify pattern SetupAuthS_Some(enc_6: kemciph_t, ctx_7: context_t) (tuple expanded) at 29 + - Remove else branch of let at 29 + - Simplify pattern Context(key_7: key_t, nonce_7: nonce_t, seq_3: nonce_t) (tuple expanded) at 80 + - Remove else branch of let at 80 + - Simplify pattern Context_Seal_Some(ct_8: bitstring) (tuple expanded) at 79 + - Remove else branch of let at 79 +yields + +Game 3 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ctx_6: context_t <- Context(key_6, nonce_6, nonce_zero); + ctx_7: context_t <- ctx_6; + enc_6: kemciph_t <- enc_5; + seq_3: nonce_t <- nonce_zero; + nonce_7: nonce_t <- nonce_6; + key_7: key_t <- key_6; + nonce_8: nonce_t <- xor(nonce_7, seq_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_7, nonce_8); + ct_8: bitstring <- ct_7; + return(SealAuth_Some(enc_6, ct_8)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(E_1[u_2, u_3], E_2[u_2, u_3], E_3[u_2, u_3], E_4[u_2, u_3], E_5[u_2, u_3], E_6[u_2, u_3]) && (E_1[u_2, u_3] = pk_4) && (E_2[u_2, u_3] = the_pk) && (E_3[u_2, u_3] = enc_7) && (E_4[u_2, u_3] = c) && (E_5[u_2, u_3] = aad_10) && (E_6[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + info_hash: bitstring <- info_7; + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_hash); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + ctx_8: context_t <- Context(key_8, nonce_9, nonce_zero); + ctx_9: context_t <- ctx_8; + seq_4: nonce_t <- nonce_zero; + nonce_10: nonce_t <- nonce_9; + key_9: key_t <- key_8; + nonce_11: nonce_t <- xor(nonce_10, seq_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_9, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + ctx_10: context_t <- Context(key_10, nonce_12, nonce_zero); + ctx_11: context_t <- ctx_10; + enc_9: kemciph_t <- enc_8; + seq_5: nonce_t <- nonce_zero; + nonce_13: nonce_t <- nonce_12; + key_11: key_t <- key_10; + nonce_14: nonce_t <- xor(nonce_13, seq_5); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_11, nonce_14); + ct_10: bitstring <- ct_9; + c_star: bitstring <- ct_10; + enc_star: kemciph_t <- enc_9; + E_1: pkey_t <- the_pk; + E_2: pkey_t <- pk_5; + E_3: kemciph_t <- enc_star; + E_4: bitstring <- c_star; + E_5: bitstring <- aad_11; + E_6: bitstring <- info_8; + return((enc_star, c_star)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on ctx_11 (definition removed, all usages removed) + - Remove assignments on enc_9 (definition removed, all usages removed) + - Remove assignments on nonce_13 (definition removed, all usages removed) + - Remove assignments on key_11 (definition removed, all usages removed) + - Remove assignments on ct_10 (definition removed, all usages removed) + - Remove assignments on c_star (definition removed, all usages removed) + - Remove assignments on enc_star (definition removed, all usages removed) + - Remove assignments on E_1 (definition removed, all usages removed) + - Remove assignments on E_2 (definition removed, all usages removed) + - Remove assignments on E_3 (definition removed, all usages removed) + - Remove assignments on E_4 (definition removed, all usages removed) + - Remove assignments on E_5 (definition removed, all usages removed) + - Remove assignments on E_6 (definition removed, all usages removed) + - Remove assignments on info_hash (definition removed, all usages removed) + - Remove assignments on ctx_9 (definition removed, all usages removed) + - Remove assignments on nonce_10 (definition removed, all usages removed) + - Remove assignments on key_9 (definition removed, all usages removed) + - Remove assignments on ctx_7 (definition removed, all usages removed) + - Remove assignments on enc_6 (definition removed, all usages removed) + - Remove assignments on nonce_7 (definition removed, all usages removed) + - Remove assignments on key_7 (definition removed, all usages removed) + - Remove assignments on ct_8 (definition removed, all usages removed) + - Remove assignments on ctx_10 (definition removed, all usages removed) + - Remove assignments on ctx_8 (definition removed, all usages removed) + - Remove assignments on ctx_6 (definition removed, all usages removed) +yields + +Game 4 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- {59}xor(nonce_6, seq_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := +{104} find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(the_pk[u_3], pk_5[u_2, u_3], enc_8[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], ct_9[u_2, u_3]) && {116}((the_pk[u_3] = pk_4) && (pk_5[u_2, u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- {196}xor(nonce_9, seq_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- {302}xor(nonce_12, seq_5); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced xor(nonce_12, seq_5) with nonce_12 at 302 + - Replaced xor(nonce_9, seq_4) with nonce_9 at 196 + - Replaced ((the_pk[u_3] = pk_4) && (pk_5[u_2, u_3] = the_pk) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) with ((the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7)) at 116 + - Replaced defined condition the_pk[u_3], pk_5[u_2, u_3], enc_8[u_2, u_3], aad_11[u_2, u_3], info_8[u_2, u_3], ct_9[u_2, u_3] with info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3] in find at 104 + - Replaced xor(nonce_6, seq_3) with nonce_6 at 59 +yields + +Game 5 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + seq_4: nonce_t <- nonce_zero; + nonce_11: nonce_t <- nonce_9; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + pt_8: bitstring <- test(b, m0, m1); + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to pt_8 + - Move assignment to seq_4 +yields + +Game 6 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + seq_3: nonce_t <- nonce_zero; + nonce_8: nonce_t <- nonce_6; + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_8); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + nonce_11: nonce_t <- nonce_9; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_11) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + seq_5: nonce_t <- nonce_zero; + nonce_14: nonce_t <- nonce_12; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_14); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on seq_5 (definition removed, all usages removed) + - Remove assignments on nonce_14 (definition removed, all usages removed) + - Remove assignments on nonce_11 (definition removed, all usages removed) + - Remove assignments on seq_3 (definition removed, all usages removed) + - Remove assignments on nonce_8 (definition removed, all usages removed) +yields + +Game 7 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + the_sk: skey_t <- skgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, the_sk) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, the_sk, pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, the_sk) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of binder the_sk + - Remove assignments on the_sk (definition removed, all usages removed) +yields + +Game 8 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + the_pk: pkey_t <- pkgen(s); + return(the_pk); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3], the_pk[u_3]) && (the_pk[u_3] = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(the_pk[i']) && (the_pk[i'] = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of binder the_pk + - Remove assignments on the_pk (definition removed, all usages removed) +yields + +Game 9 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence outsider_cca(AuthEncap) with variables: s -> s_1 [probability Adv_Outsider_CCA(time_1, N, #Ochall + #Oaenc, #Oadec)] + - Equivalence outsider_cca(AuthEncap) with variables: k_3 -> ks, k_2 -> ks, s -> s_1 +yields + +Game 10 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + k'_1 <-R kemkey_t; + {22} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (pk_R: pkey_t <- pk_3; find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_R = pkgen(s[ri_5])) then let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_R, skgen(s)) in k': kemkey_t <- cst_kemkey_t; AuthEncap_tuple(k'_1, ce) else AuthEncap_None else AuthEncap_r(k_2, pk_R, skgen(s))) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else +{182} let AuthDecap_Some(shared_secret_4: kemkey_t) = (pk_S: pkey_t <- pk_4; cd: kemciph_t <- enc_7; find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], s[ri_4], pk_R[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4]) && (pkgen(s) = pk_R[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_S) && (ce[ri_3, ri_4] = cd) then AuthDecap_Some(k'_1[u_7, u_8]) orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], s[ri_2], pk_R_1[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2]) && (pkgen(s) = pk_R_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_S) && (ce_1[ri_1, ri_2] = cd) then AuthDecap_Some(k'_3[u_5, u_6]) else AuthDecap(cd, skgen(s), pk_S)) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + k'_3 <-R kemkey_t; +{359} let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = (pk_R_1: pkey_t <- pk_5; {364}find u_4 = ri <= N suchthat defined(s[ri]) && (pk_R_1 = pkgen(s[ri])) then let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_R_1, skgen(s)) in k'_2: kemkey_t <- cst_kemkey_t; AuthEncap_tuple(k'_3, ce_1) else AuthEncap_None else AuthEncap_r(k_3, pk_R_1, skgen(s))) in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand [probability N^2 * P_pk_coll] + - Expand if/find/let + - Remove else branch of find at 364 + - Simplify pattern AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) (tuple expanded) at 359 + - Remove else branch of let at 359 + - A single branch always succeeds in find at 364 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 182 + - Remove else branch of let at 182 + - Simplify pattern AuthDecap_Some(shared_secret_4: kemkey_t) (tuple expanded) at 182 + - Remove else branch of let at 182 + - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) (tuple expanded) at 22 + - Remove else branch of let at 22 +yields + +Game 11 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + k'_1 <-R kemkey_t; + pk_R: pkey_t <- pk_3; + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_R = pkgen(s[ri_5])) then + let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_R, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + enc_5: kemciph_t <- ce; + shared_secret_3: kemkey_t <- k'_1; + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_R, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + pk_S: pkey_t <- pk_4; + cd: kemciph_t <- enc_7; + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], s[ri_4], pk_R[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4]) && (pkgen(s) = pk_R[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_S) && (ce[ri_3, ri_4] = cd) then + shared_secret_4: kemkey_t <- k'_1[u_7, u_8]; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], s[ri_2], pk_R_1[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2]) && (pkgen(s) = pk_R_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_S) && (ce_1[ri_1, ri_2] = cd) then + shared_secret_4: kemkey_t <- k'_3[u_5, u_6]; + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(cd, skgen(s), pk_S) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + k'_3 <-R kemkey_t; + pk_R_1: pkey_t <- pk_5; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_R_1, skgen(s)) in + k'_2: kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce_1; + shared_secret_5: kemkey_t <- k'_3; + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on pk_R_1 (definition removed, all usages removed) + - Remove assignments on shared_secret_5 (definition removed, all usages removed) + - Remove assignments on enc_8 (definition kept, array references kept) + - Remove assignments on pk_S (definition removed, all usages removed) + - Remove assignments on cd (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on shared_secret_4 (definition removed, all usages removed) + - Remove assignments on pk_R (definition removed, all usages removed) + - Remove assignments on enc_5 (definition removed, all usages removed) + - Remove assignments on shared_secret_3 (definition removed, all usages removed) +yields + +Game 12 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + k'_1 <-R kemkey_t; + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else +{269} find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(pk_3[ri_3, ri_4], k'[ri_3, ri_4], s[ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4]) && {279}((pkgen(s) = pk_3[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(pk_5[ri_1, ri_2], k'_2[ri_1, ri_2], s[ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2]) && {363}((pkgen(s) = pk_5[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7)) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + k'_3 <-R kemkey_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in + k'_2: kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce_1; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify [probability N^2 * P_pk_coll] + - Simplification pass + - Replaced ((pkgen(s) = pk_5[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7)) with ((i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7)) at 363 + - Replaced defined condition pk_5[ri_1, ri_2], k'_2[ri_1, ri_2], s[ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2] with k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] in find at 269 + - Replaced ((pkgen(s) = pk_3[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7)) with ((i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7)) at 279 + - Replaced defined condition pk_3[ri_3, ri_4], k'[ri_3, ri_4], s[ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4] with k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4] in find at 269 +yields + +Game 13 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + k_2 <-R kemseed_t; + k'_1 <-R kemkey_t; + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + else + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + k'_3 <-R kemkey_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in + k'_2: kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce_1; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((enc_8, ct_9)) + else + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move random number generation k'_3 + - Move random number generation k'_1 + - Move random number generation k_2 +yields + +Game 14 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_2 <-R kemseed_t; + let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_2 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_2, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in + k'_2: kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce_1; + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + k'_3 <-R kemkey_t; + return((enc_8, ct_9)) + else + k'_3 <-R kemkey_t; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Rename variable k_2 into k_7, k_6 +yields + +Game 15 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = AuthEncap_r(k_7, pk_3, skgen(s)) in + k': kemkey_t <- cst_kemkey_t; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_6 <-R kemseed_t; + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_r(k_6, pk_3, skgen(s)) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'[ri_3, ri_4], k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_2[ri_1, ri_2], k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = AuthEncap_r(k_3, pk_5, skgen(s)) in + k'_2: kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce_1; + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + k'_3 <-R kemkey_t; + return((enc_8, ct_9)) + else + k'_3 <-R kemkey_t; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence eliminate_failing(AuthEncap) + - Equivalence eliminate_failing(AuthEncap) +yields + +Game 16 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + {30} let AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) = (k_9: kemseed_t <- k_7; pk_7: pkey_t <- pk_3; sk_3: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key(k_9, pk_7, sk_3), AuthEncap_enc(k_9, pk_7, sk_3))) in + k': kemkey_t <- cst_kemkey_t; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = AuthEncap_None in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + else + k_6 <-R kemseed_t; +{169} let AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) = (k_8: kemseed_t <- k_6; pk_6: pkey_t <- pk_3; sk_2: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key(k_8, pk_6, sk_2), AuthEncap_enc(k_8, pk_6, sk_2))) in + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + else + k'_1 <-R kemkey_t; + return(SealAuth_None) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; +{568} let AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) = (k_10: kemseed_t <- k_3; pk_8: pkey_t <- pk_5; sk_4: skey_t <- skgen(s); AuthEncap_tuple(AuthEncap_key(k_10, pk_8, sk_4), AuthEncap_enc(k_10, pk_8, sk_4))) in + k'_2: kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce_1; + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + let AuthEncap_tuple(shared_secret_5: kemkey_t, enc_8: kemciph_t) = AuthEncap_None in + r_5: keys_t <- KeySchedule_auth(shared_secret_5, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + k'_3 <-R kemkey_t; + return((enc_8, ct_9)) + else + k'_3 <-R kemkey_t; + return(bottom) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Simplify pattern AuthEncap_tuple(k_5: kemkey_t, ce_1: kemciph_t) (tuple expanded) at 568 + - Remove else branch of let at 568 + - Simplify pattern AuthEncap_tuple(shared_secret_3: kemkey_t, enc_5: kemciph_t) (tuple expanded) at 169 + - Remove else branch of let at 169 + - Simplify pattern AuthEncap_tuple(k_4: kemkey_t, ce: kemciph_t) (tuple expanded) at 30 + - Remove else branch of let at 30 +yields + +Game 17 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + k_9: kemseed_t <- k_7; + pk_7: pkey_t <- pk_3; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_9, pk_7, sk_3); + k_4: kemkey_t <- AuthEncap_key(k_9, pk_7, sk_3); + k': kemkey_t <- cst_kemkey_t; + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + k_8: kemseed_t <- k_6; + pk_6: pkey_t <- pk_3; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_8, pk_6, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_8, pk_6, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], enc_8[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (enc_8[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + k_10: kemseed_t <- k_3; + pk_8: pkey_t <- pk_5; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_10, pk_8, sk_4); + k_5: kemkey_t <- AuthEncap_key(k_10, pk_8, sk_4); + k'_2: kemkey_t <- cst_kemkey_t; + enc_8: kemciph_t <- ce_1; + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on k_10 (definition removed, all usages removed) + - Remove assignments on pk_8 (definition removed, all usages removed) + - Remove assignments on k_5 (definition removed, all usages removed) + - Remove assignments on k'_2 (definition removed, all usages removed) + - Remove assignments on enc_8 (definition removed, all usages removed) + - Remove assignments on k_8 (definition removed, all usages removed) + - Remove assignments on pk_6 (definition removed, all usages removed) + - Remove assignments on k_9 (definition removed, all usages removed) + - Remove assignments on pk_7 (definition removed, all usages removed) + - Remove assignments on k_4 (definition removed, all usages removed) + - Remove assignments on k' (definition removed, all usages removed) +yields + +Game 18 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_1 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_1, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + k'_1 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_1[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_1[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying SA rename k'_1 + - Rename variable k'_1 into k'_5, k'_4 +yields + +Game 19 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); +{153} k'_5 <-R kemkey_t; + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Remove random number generation at 153 +yields + +Game 20 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_3[u_5, u_6], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + k'_3 <-R kemkey_t; + r_5: keys_t <- KeySchedule_auth(k'_3, info_8); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence prf(KeySchedule_auth) with k'_3 [probability Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec)] + - Equivalence prf(KeySchedule_auth) with variables: k'_3 -> k_1 +yields + +Game 21 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_6[ri_12, ri_13], x[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (x = x[ri_12, ri_13]) then r_6[u_12, u_13] orfind suchthat defined(x_1[u_5, u_6], r_7[u_5, u_6]) && (x = x_1[u_5, u_6]) then r_7[u_5, u_6] else r_6 <-R keys_t; r_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + k'_3: kemkey_t <- cst_kemkey_t; + r_5: keys_t <- (x_1: bitstring <- info_8; {571}find [unique] u_10 = ri_8 <= Qdperuser, u_11 = ri_9 <= N suchthat defined(u_6[ri_8, ri_9], u_5[ri_8, ri_9], x[ri_8, ri_9], r_6[ri_8, ri_9]) && {580}((u_5[ri_8, ri_9] = ic) && (u_6[ri_8, ri_9] = i) && (x_1 = x[ri_8, ri_9])) then r_6[u_10, u_11] else r_7 <-R keys_t; r_7); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify (non-expanded game) + - Simplification pass + - Replaced ((u_5[ri_8, ri_9] = ic) && (u_6[ri_8, ri_9] = i) && (x_1 = x[ri_8, ri_9])) with false at 580 + - Remove branch 1 in find at 571 + - Find at 571 removed (else branch kept if any) +yields + +Game 22 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + r_4: keys_t <- (x: bitstring <- info_7; find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_6[ri_12, ri_13], x[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (x = x[ri_12, ri_13]) then r_6[u_12, u_13] orfind suchthat defined(x_1[u_5, u_6], r_7[u_5, u_6]) && (x = x_1[u_5, u_6]) then r_7[u_5, u_6] else r_6 <-R keys_t; r_6); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + k'_3: kemkey_t <- cst_kemkey_t; + r_5: keys_t <- (x_1: bitstring <- info_8; r_7 <-R keys_t; r_7); + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 23 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(k'_3[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + x: bitstring <- info_7; + find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(r_6[ri_12, ri_13], x[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (x = x[ri_12, ri_13]) then + r_4: keys_t <- r_6[u_12, u_13]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(x_1[u_5, u_6], r_7[u_5, u_6]) && (x = x_1[u_5, u_6]) then + r_4: keys_t <- r_7[u_5, u_6]; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + r_4: keys_t <- r_6; + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + k'_3: kemkey_t <- cst_kemkey_t; + x_1: bitstring <- info_8; + r_7 <-R keys_t; + r_5: keys_t <- r_7; + nonce_12: nonce_t <- get2(r_5); + key_10: key_t <- get1(r_5); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on k'_3 (definition removed, all usages removed) + - Remove assignments on x_1 (definition removed, all usages removed) + - Remove assignments on r_5 (definition removed, all usages removed) + - Remove assignments on x (definition point kept, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) + - Remove assignments on r_4 (definition removed, all usages removed) +yields + +Game 24 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else +{235} find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + x: bitstring <- cst_bitstring; +{344} find [unique] u_12 = ri_12 <= Qdperuser, u_13 = ri_13 <= N suchthat defined(info_7[ri_12, ri_13], x[ri_12, ri_13], r_6[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13]) && (u_5[ri_12, ri_13] = u_5) && (u_6[ri_12, ri_13] = u_6) && (info_7 = info_7[ri_12, ri_13]) then + nonce_9: nonce_t <- get2(r_6[u_12, u_13]); + key_8: key_t <- get1(r_6[u_12, u_13]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(info_8[u_5, u_6], ce_1[u_5, u_6], r_7[u_5, u_6]) && (info_7 = info_8[u_5, u_6]) then + nonce_9: nonce_t <- get2(r_7[u_5, u_6]); + key_8: key_t <- get1(r_7[u_5, u_6]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced defined condition info_8[u_5, u_6], ce_1[u_5, u_6], r_7[u_5, u_6] with an empty condition in find at 344 + - In branch 1 of find at 344, substituting u_13 with i + - Replaced defined condition info_7[ri_12, ri_13], x[ri_12, ri_13], r_6[ri_12, ri_13], u_6[ri_12, ri_13], u_5[ri_12, ri_13] with r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12] in find at 344 + - Replaced defined condition ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] with r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2] in find at 235 +yields + +Game 25 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + x: bitstring <- cst_bitstring; + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + u_13 <= N <- i; + nonce_9: nonce_t <- get2(r_6[u_12]); + key_8: key_t <- get1(r_6[u_12]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + nonce_9: nonce_t <- get2(r_7[u_5, u_6]); + key_8: key_t <- get1(r_7[u_5, u_6]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying move all binders + - Move assignment to x +yields + +Game 26 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + u_13 <= N <- i; + nonce_9: nonce_t <- get2(r_6[u_12]); + key_8: key_t <- get1(r_6[u_12]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + nonce_9: nonce_t <- get2(r_7[u_5, u_6]); + key_8: key_t <- get1(r_7[u_5, u_6]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on u_13 (definition removed, all usages removed) +yields + +Game 27 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + nonce_9: nonce_t <- get2(r_6[u_12]); + key_8: key_t <- get1(r_6[u_12]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + nonce_9: nonce_t <- get2(r_7[u_5, u_6]); + key_8: key_t <- get1(r_7[u_5, u_6]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + r_7 <-R keys_t; + nonce_12: nonce_t <- get2(r_7); + key_10: key_t <- get1(r_7); + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_7 -> r +yields + +Game 28 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + nonce_9: nonce_t <- get2(r_6[u_12]); + key_8: key_t <- get1(r_6[u_12]); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + nonce_9: nonce_t <- part2[u_5, u_6]; + key_8: key_t <- part1[u_5, u_6]; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + r_6 <-R keys_t; + nonce_9: nonce_t <- get2(r_6); + key_8: key_t <- get1(r_6); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2 <-R nonce_t; + part1 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence splitter(split) + - Equivalence splitter(split) with variables: r_6 -> r +yields + +Game 29 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], r_7[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], r_6[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + nonce_9: nonce_t <- part2_1[u_12]; + key_8: key_t <- part1_1[u_12]; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + nonce_9: nonce_t <- part2[u_5, u_6]; + key_8: key_t <- part1[u_5, u_6]; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + r_6: keys_t <- cst_keys_t; + nonce_9: nonce_t <- part2_1; + key_8: key_t <- part1_1; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2 <-R nonce_t; + part1 <-R key_t; + r_7: keys_t <- cst_keys_t; + nonce_12: nonce_t <- part2; + key_10: key_t <- part1; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, key_10, nonce_12); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on r_7 (definition removed, all usages removed) + - Remove assignments on nonce_12 (definition removed, all usages removed) + - Remove assignments on key_10 (definition removed, all usages removed) + - Remove assignments on r_6 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) + - Remove assignments on nonce_9 (definition removed, all usages removed) + - Remove assignments on key_8 (definition removed, all usages removed) +yields + +Game 30 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part2[ri_1, ri_2], part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1[u_5, u_6], part2[u_5, u_6]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence int_ctxt(Seal_inner) with part1 [probability Adv_ctxt(time_3, #Ochall, #Oadec)] + - Equivalence int_ctxt(Seal_inner) with variables: part2 -> n, part1 -> k_1 +yields + +Game 31 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then +{422} let injbot(pt_7: bitstring) = (y: bitstring <- c; c_d: bitstring <- aad_10; if defined(x_2[u_5, u_6], d[u_5, u_6], r_8[u_5, u_6]) && (r_8[u_5, u_6] = y) && (d[u_5, u_6] = c_d) then injbot(x_2[u_5, u_6]) else bottom) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + ct_9: bitstring <- (x_2: bitstring <- pt_8; d: bitstring <- aad_11; r_8: bitstring <- Seal_inner(x_2, d, part1, part2); r_8); + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let + - Remove let at 422 + - Simplify pattern injbot(pt_7: bitstring) (tuple expanded) at 422 + - Remove else branch of let at 422 +yields + +Game 32 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], ct_9[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (ct_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then + y: bitstring <- c; + c_d: bitstring <- aad_10; + if defined(x_2[u_5, u_6], d[u_5, u_6], r_8[u_5, u_6]) && (r_8[u_5, u_6] = y) && (d[u_5, u_6] = c_d) then + pt_7: bitstring <- x_2[u_5, u_6]; + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + x_2: bitstring <- pt_8; + d: bitstring <- aad_11; + r_8: bitstring <- Seal_inner(x_2, d, part1, part2); + ct_9: bitstring <- r_8; + return((ce_1, ct_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_2 (definition removed, all usages removed) + - Remove assignments on d (definition removed, all usages removed) + - Remove assignments on ct_9 (definition removed, all usages removed) + - Remove assignments on y (definition removed, all usages removed) + - Remove assignments on c_d (definition removed, all usages removed) + - Remove assignments on pt_7 (definition removed, all usages removed) +yields + +Game 33 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then +{346} find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat info_7 = info_8[u_5, u_6] then +{422} if defined(aad_11[u_5, u_6], pt_8[u_5, u_6], r_8[u_5, u_6]) && (r_8[u_5, u_6] = c) && (aad_11[u_5, u_6] = aad_10) then + return(OpenAuth_Some(Context_Open_Some(pt_8[u_5, u_6]))) + else + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + return((ce_1, r_8)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Simplified find at 422 in branch of find at 346 +yields + +Game 34 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then +{346} find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind suchthat defined(aad_11[u_5, u_6], pt_8[u_5, u_6], r_8[u_5, u_6]) && {429}((info_7 = info_8[u_5, u_6]) && (r_8[u_5, u_6] = c) && (aad_11[u_5, u_6] = aad_10)) then + return(OpenAuth_Some(Context_Open_Some(pt_8[u_5, u_6]))) + else +{476} if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + return((ce_1, r_8)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Transformed find at 476 into a test + - Replaced ((info_7 = info_8[u_5, u_6]) && (r_8[u_5, u_6] = c) && (aad_11[u_5, u_6] = aad_10)) with false at 429 + - Remove branch 2 in find at 346 +yields + +Game 35 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2 <-R nonce_t; + part1 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- Seal_inner(pt_8, aad_11, part1, part2); + return((ce_1, r_8)) + else + return(bottom) + else + return(bottom) + )) + + +Applying equivalence ind_cpa(Seal_inner) [probability Adv_cpa(time_4, #Ochall)] + - Equivalence ind_cpa(Seal_inner) with variables: part2 -> n, part1 -> k_1 +yields + +Game 36 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + part1: key_t <- cst_key_t; + pt_8: bitstring <- test(b, m0, m1); + r_8: bitstring <- (x_3: bitstring <- pt_8; d_1: bitstring <- aad_11; r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); r_9); + return((ce_1, r_8)) + else + return(bottom) + else + return(bottom) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 37 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_8[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_8[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + part1: key_t <- cst_key_t; + pt_8: bitstring <- test(b, m0, m1); + x_3: bitstring <- pt_8; + d_1: bitstring <- aad_11; + r_9: bitstring <- enc'(Length(x_3), d_1, part1_2, part2_2); + r_8: bitstring <- r_9; + return((ce_1, r_8)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on part1 (definition removed, all usages removed) + - Remove assignments on x_3 (definition removed, all usages removed) + - Remove assignments on d_1 (definition removed, all usages removed) + - Remove assignments on r_8 (definition removed, all usages removed) +yields + +Game 38 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_9[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1_2[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_9: bitstring <- {571}enc'(Length(pt_8), aad_11, part1_2, part2_2); + return((ce_1, r_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying simplify + - Simplification pass + - Replaced enc'(Length(pt_8), aad_11, part1_2, part2_2) with enc'(Length(m0), aad_11, part1_2, part2_2) at 571 +yields + +Game 39 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_9[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1_2[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + pt_8: bitstring <- test(b, m0, m1); + r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); + return((ce_1, r_9)) + else + return(bottom) + else + return(bottom) + )) + + +Applying remove assignments of findcond + - Remove assignments on pt_8 (definition removed, all usages removed) +yields + +Game 40 is + Ostart() := + b <-R bool; + return(); + foreach i <= N do + Osetup() := + s <-R keypairseed_t; + return(pkgen(s)); + (( + foreach iae <= Qeperuser do + Oaenc(pk_3: pkey_t, m: bitstring, aad_9: bitstring, info_6: bitstring) := + find u_9 = ri_5 <= N suchthat defined(s[ri_5]) && (pk_3 = pkgen(s[ri_5])) then + k_7 <-R kemseed_t; + sk_3: skey_t <- skgen(s); + ce: kemciph_t <- AuthEncap_enc(k_7, pk_3, sk_3); + k'_4 <-R kemkey_t; + r_3: keys_t <- KeySchedule_auth(k'_4, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(ce, ct_7)) + else + k_6 <-R kemseed_t; + sk_2: skey_t <- skgen(s); + enc_5: kemciph_t <- AuthEncap_enc(k_6, pk_3, sk_2); + shared_secret_3: kemkey_t <- AuthEncap_key(k_6, pk_3, sk_2); + r_3: keys_t <- KeySchedule_auth(shared_secret_3, info_6); + nonce_6: nonce_t <- get2(r_3); + key_6: key_t <- get1(r_3); + ct_7: bitstring <- Seal_inner(m, aad_9, key_6, nonce_6); + return(SealAuth_Some(enc_5, ct_7)) + ) | ( + foreach iad <= Qdperuser do + Oadec(pk_4: pkey_t, enc_7: kemciph_t, c: bitstring, aad_10: bitstring, info_7: bitstring) := + find u = u_2 <= Qcperuser, u_1 = u_3 <= N suchthat defined(r_9[u_2, u_3], ce_1[u_2, u_3], s[u_3], info_8[u_2, u_3], aad_11[u_2, u_3], i'_1[u_2, u_3]) && (pkgen(s[u_3]) = pk_4) && (i'_1[u_2, u_3] = i) && (ce_1[u_2, u_3] = enc_7) && (r_9[u_2, u_3] = c) && (aad_11[u_2, u_3] = aad_10) && (info_8[u_2, u_3] = info_7) then + return(OpenAuth_None) + else + find u_7 = ri_3 <= Qeperuser, u_8 = ri_4 <= N suchthat defined(k'_4[ri_3, ri_4], ce[ri_3, ri_4], s[ri_4], u_9[ri_3, ri_4]) && (i = u_9[ri_3, ri_4]) && (pkgen(s[ri_4]) = pk_4) && (ce[ri_3, ri_4] = enc_7) then + r_4: keys_t <- KeySchedule_auth(k'_4[u_7, u_8], info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + orfind u_5 = ri_1 <= Qcperuser, u_6 = ri_2 <= N suchthat defined(part1_2[ri_1, ri_2], info_8[ri_1, ri_2], ce_1[ri_1, ri_2], s[ri_2], i'_1[ri_1, ri_2]) && (i = i'_1[ri_1, ri_2]) && (pkgen(s[ri_2]) = pk_4) && (ce_1[ri_1, ri_2] = enc_7) then + find [unique] u_12 = ri_12 <= Qdperuser suchthat defined(part2_1[ri_12], part1_1[ri_12], info_7[ri_12], u_6[ri_12], u_5[ri_12]) && (u_5[ri_12] = u_5) && (u_6[ri_12] = u_6) && (info_7 = info_7[ri_12]) then + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1[u_12], part2_1[u_12]) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + if info_7 = info_8[u_5, u_6] then + return(OpenAuth_Some(Context_Open_None)) + else + part2_1 <-R nonce_t; + part1_1 <-R key_t; + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, part1_1, part2_1) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + let AuthDecap_Some(shared_secret_4: kemkey_t) = AuthDecap(enc_7, skgen(s), pk_4) in + r_4: keys_t <- KeySchedule_auth(shared_secret_4, info_7); + nonce_9: nonce_t <- get2(r_4); + key_8: key_t <- get1(r_4); + let injbot(pt_7: bitstring) = Open_inner(c, aad_10, key_8, nonce_9) in + return(OpenAuth_Some(Context_Open_Some(pt_7))) + else + return(OpenAuth_Some(Context_Open_None)) + else + return(OpenAuth_None) + ) | ( + foreach ic <= Qcperuser do + Ochall(pk_5: pkey_t, m0: bitstring, m1: bitstring, aad_11: bitstring, info_8: bitstring) := + find i'_1 = i' <= N suchthat defined(s[i']) && (pkgen(s[i']) = pk_5) then + if Length(m0) = Length(m1) then + k_3 <-R kemseed_t; + sk_4: skey_t <- skgen(s); + ce_1: kemciph_t <- AuthEncap_enc(k_3, pk_5, sk_4); + part2_2 <-R nonce_t; + part1_2 <-R key_t; + r_9: bitstring <- enc'(Length(m0), aad_11, part1_2, part2_2); + return((ce_1, r_9)) + else + return(bottom) + else + return(bottom) + )) + + +Proved secrecy of b in game 40 +Adv[Game 1: secrecy of b] <= 2 * Adv_cpa(time_4, #Ochall) + 2 * Adv_ctxt(time_3, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec) + 2 * Adv_Outsider_CCA(time_1, N, #Ochall + #Oaenc, #Oadec) + 6 * N^2 * P_pk_coll + Adv[Game 40: secrecy of b] +Adv[Game 40: secrecy of b] <= 0 +RESULT Proved secrecy of b up to probability 2 * Adv_cpa(time_4, #Ochall) + 2 * Adv_ctxt(time_3, #Ochall, #Oadec) + 2 * Adv_PRF_KeySchedule(time_2, #Ochall, #Ochall + #Oadec) + 2 * Adv_Outsider_CCA(time_1, N, #Ochall + #Oaenc, #Oadec) + 6 * N^2 * P_pk_coll +RESULT time_1 = time + time(context for game 9) = (#Oaenc + #Ochall) * time(let AuthEncap_tuple) + #Oaenc * time(KeySchedule_auth, maxlength(game 9: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 9: m), maxlength(game 9: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 9: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 9: ct_9), maxlength(game 9: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 9: aad_11), maxlength(game 9: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 9: info_8), maxlength(game 9: info_7)) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 9: info_7)) + #Oadec * time(Open_inner, maxlength(game 9: c), maxlength(game 9: aad_10)) + #Oadec * time(let injbot, maxlength(game 9: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 9: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 9: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 9: m0)), length(Length, maxlength(game 9: m1))) + #Ochall * time(Length, maxlength(game 9: m1)) + #Ochall * time(Length, maxlength(game 9: m0)) + #Ochall * time(KeySchedule_auth, maxlength(game 9: info_8)) + #Ochall * time(test, maxlength(game 9: m0), maxlength(game 9: m1)) + #Ochall * time(Seal_inner, maxlength(game 9: pt_8), maxlength(game 9: aad_11)) + time +RESULT time_2 = time + time(context for game 20) = (N + #Oaenc * N + #Oadec * #Oaenc + 2 * #Oadec * #Ochall + #Ochall * N) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc) + #Oaenc * time(AuthEncap_key) + #Oaenc * time(KeySchedule_auth, maxlength(game 20: info_6)) + (#Oaenc + #Oadec + #Ochall) * time(get2) + (#Oaenc + #Oadec + #Ochall) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 20: m), maxlength(game 20: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 20: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 20: ct_9), maxlength(game 20: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 20: aad_11), maxlength(game 20: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 20: info_8), maxlength(game 20: info_7)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 20: info_7)) + #Oadec * time(Open_inner, maxlength(game 20: c), maxlength(game 20: aad_10)) + #Oadec * time(let injbot, maxlength(game 20: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 20: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 20: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 20: m0)), length(Length, maxlength(game 20: m1))) + #Ochall * time(Length, maxlength(game 20: m1)) + #Ochall * time(Length, maxlength(game 20: m0)) + #Ochall * time(test, maxlength(game 20: m0), maxlength(game 20: m1)) + #Ochall * time(Seal_inner, maxlength(game 20: pt_8), maxlength(game 20: aad_11)) + time +RESULT time_3 = time + time(context for game 30) = (N + #Oaenc * N + #Oadec * #Oaenc + 2 * #Oadec * #Ochall + #Ochall * N) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc) + #Oaenc * time(AuthEncap_key) + #Oaenc * time(KeySchedule_auth, maxlength(game 30: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 30: m), maxlength(game 30: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 30: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 30: ct_9), maxlength(game 30: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 30: aad_11), maxlength(game 30: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 30: info_8), maxlength(game 30: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 30: info_7), maxlength(game 30: info_7)) + #Oadec * time(= bitstring, maxlength(game 30: info_7), maxlength(game 30: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 30: info_7)) + #Oadec * time(Open_inner, maxlength(game 30: c), maxlength(game 30: aad_10)) + #Oadec * time(let injbot, maxlength(game 30: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 30: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 30: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 30: m0)), length(Length, maxlength(game 30: m1))) + #Ochall * time(Length, maxlength(game 30: m1)) + #Ochall * time(Length, maxlength(game 30: m0)) + #Ochall * time(test, maxlength(game 30: m0), maxlength(game 30: m1)) + time +RESULT time_4 = time + time(context for game 35) = (N + #Oaenc * N + #Oadec * #Oaenc + 2 * #Oadec * #Ochall + #Ochall * N) * time(pkgen) + (#Oaenc + #Oadec + #Ochall) * time(skgen) + (#Oaenc + #Ochall) * time(AuthEncap_enc) + #Oaenc * time(AuthEncap_key) + #Oaenc * time(KeySchedule_auth, maxlength(game 35: info_6)) + (#Oaenc + #Oadec) * time(get2) + (#Oaenc + #Oadec) * time(get1) + #Oaenc * time(Seal_inner, maxlength(game 35: m), maxlength(game 35: aad_9)) + #Oaenc * time(SealAuth_Some, maxlength(game 35: ct_7)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 35: r_8), maxlength(game 35: c)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 35: aad_11), maxlength(game 35: aad_10)) + #Oadec * #Ochall * time(= bitstring, maxlength(game 35: info_8), maxlength(game 35: info_7)) + #Oadec * Qdperuser * time(= bitstring, maxlength(game 35: info_7), maxlength(game 35: info_7)) + #Oadec * time(= bitstring, maxlength(game 35: info_7), maxlength(game 35: info_8)) + #Oadec * time(AuthDecap) + #Oadec * time(let AuthDecap_Some) + #Oadec * time(KeySchedule_auth, maxlength(game 35: info_7)) + #Oadec * time(Open_inner, maxlength(game 35: c), maxlength(game 35: aad_10)) + #Oadec * time(let injbot, maxlength(game 35: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_Some, maxlength(game 35: pt_7))) + #Oadec * time(Context_Open_Some, maxlength(game 35: pt_7)) + #Oadec * time(OpenAuth_Some, length(Context_Open_None)) + #Ochall * time(= bitstring, length(Length, maxlength(game 35: m0)), length(Length, maxlength(game 35: m1))) + #Ochall * time(Length, maxlength(game 35: m1)) + #Ochall * time(Length, maxlength(game 35: m0)) + #Ochall * time(test, maxlength(game 35: m0), maxlength(game 35: m1)) + time +All queries proved. diff --git a/keyschedule.auth.prf.ocv b/keyschedule.auth.prf.ocv index 90bc198..74e2080 100644 --- a/keyschedule.auth.prf.ocv +++ b/keyschedule.auth.prf.ocv @@ -200,17 +200,14 @@ proof { crypto prf(Extract_PRF); out_game "l07.out.cv"; (* Temporarily disable elimination of collisions, especially for the - collision resistant hash function (in fact, allows elimination - of collisions when their probability is estimated <= 2^-200, and - by default the probability of collisions for the hash function is - estimated 2^-160) *) - allowed_collisions pest200; + collision resistant hash function. *) + allowed_collisions ; crypto prf(Expand_PRF) **; (* Reenable elimination of collisions on the hash function. The goal is to eliminate all these collisions in one step, to avoid having several terms in the probability for the elimination of collisions for the hash function. *) - allowed_collisions pest128; + allowed_collisions 1/large; simplify; crypto truncate(truncate_to_Nk); crypto truncate(truncate_to_Nn); diff --git a/keyschedule.auth.prf.proof b/keyschedule.auth.prf.proof index 2d5593f..a39b8a9 100644 --- a/keyschedule.auth.prf.proof +++ b/keyschedule.auth.prf.proof @@ -1,1565 +1,1559 @@ -Initial state -Game 2 is - Ostart() := - cr_key_3 <-R cr_key_t; - return(cr_key_3); - (( - foreach ikey_1 <= Nkey do - Ok() := - return(); - foreach i_1 <= Nperkey do - Oprf(info_4: bitstring) := - find [unique] j_1 = j <= Nperkey suchthat defined(info_4[j], r[j]) && (info_4[j] = info_4) then - return(r[j_1]) - else - r <-R keys_t; - return(r) - ) | ( - OH() := - return(cr_key_3) - )) - -Initial state -Game 1 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - return((mode: mode_t <- mode_auth; psk: bitstring <- default_psk; psk_id: bitstring <- default_psk_id; psk_id_hash: cr_output_t <- (salt_3: cr_salt_t <- empty; label_5: label_extract_t <- label_psk_id_hash; labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); Extract_CR(cr_key_2, salt_3, labeled_input)); info_hash: cr_output_t <- (salt_4: cr_salt_t <- empty; label_6: label_extract_t <- label_info_hash; labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); Extract_CR(cr_key_2, salt_4, labeled_input_1)); key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); secrett: extract_t <- (label_7: label_extract_t <- label_secret; IKM: bitstring <- psk; labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, IKM); Extract_PRF(k, labeled_IKM)); key: key_t <- (label_8: label_expand_t <- label_key; L_2: length_t <- Nk; truncate_to_Nk((labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); Expand_PRF(secrett, labeledInfo)))); base_nonce: nonce_t <- (label_9: label_expand_t <- label_base_nonce; L_3: length_t <- Nn; truncate_to_Nn((labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); Expand_PRF(secrett, labeledInfo_1)))); concat(key, base_nonce))) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying expand - - Expand if/find/let -yields - -Game 3 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - psk: bitstring <- default_psk; - psk_id: bitstring <- default_psk_id; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_7: label_extract_t <- label_secret; - IKM: bitstring <- psk; - labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, IKM); - secrett: extract_t <- Extract_PRF(k, labeled_IKM); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on IKM (definition removed, all usages removed) -yields - -Game 4 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - psk: bitstring <- default_psk; - psk_id: bitstring <- default_psk_id; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_7: label_extract_t <- label_secret; - labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, psk); - secrett: extract_t <- Extract_PRF(k, labeled_IKM); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of binder psk - - Remove assignments on psk (definition removed, all usages removed) -yields - -Game 5 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - psk_id: bitstring <- default_psk_id; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_7: label_extract_t <- label_secret; - labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, default_psk); - secrett: extract_t <- Extract_PRF(k, labeled_IKM); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of binder psk_id - - Remove assignments on psk_id (definition removed, all usages removed) -yields - -Game 6 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_7: label_extract_t <- label_secret; - labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, default_psk); - secrett: extract_t <- Extract_PRF(k, labeled_IKM); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of binder labeled_IKM - - Remove assignments on labeled_IKM (definition removed, all usages removed) -yields - -Game 7 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_7: label_extract_t <- label_secret; - secrett: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_7, default_psk)); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of binder label_7 - - Remove assignments on label_7 (definition removed, all usages removed) -yields - -Game 8 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - {11} return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying insert instruction sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)) at occurrence 11 -yields - -Game 9 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- {84}Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying use variable(s) sec - - Use variable sec - - Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)) replaced with sec at 84 -yields - -Game 10 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - {26} mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying insert instruction find [unique] l_1 = l <= Nperkey suchthat - defined(else_br[l], info_3[l]) - && (info_3[l] = info_3) - then else else_br <- true at occurrence 26 -yields - -Game 11 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(else_br[l], info_3[l]) && (info_3[l] = info_3) then - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - else - else_br: bool <- true; - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); -{293} return(concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying insert instruction r_1 <- concat(key, base_nonce) at occurrence 293 -yields - -Game 12 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(else_br[l], info_3[l]) && (info_3[l] = info_3) then - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(concat(key, base_nonce)) - else - else_br: bool <- true; - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return({303}concat(key, base_nonce)) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying use variable(s) r_1 - - Use variable r_1 - - concat(key, base_nonce) replaced with r_1 at 303 -yields - -Game 13 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(else_br[l], info_3[l]) && (info_3[l] = info_3) then - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return({152}concat(key, base_nonce)) - else - else_br: bool <- true; - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying replace term at occurrence 152 with r_1[l_1] -yields - -Game 14 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - return(r_1[l_1]) - else - else_br: bool <- true; - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - secrett: extract_t <- sec; - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on else_br (definition removed, all usages removed) - - Remove assignments on secrett (definition removed, all usages removed) - - Remove assignments on secrett (definition removed, all usages removed) - - Remove assignments on key (definition removed, all usages removed) - - Remove assignments on base_nonce (definition removed, all usages removed) - - Remove assignments on labeledInfo (definition removed, all usages removed) - - Remove assignments on labeledInfo_1 (definition removed, all usages removed) - - Remove assignments on key_schedule_context (definition removed, all usages removed) - - Remove assignments on label_8 (definition removed, all usages removed) - - Remove assignments on L_2 (definition removed, all usages removed) - - Remove assignments on label_9 (definition removed, all usages removed) - - Remove assignments on L_3 (definition removed, all usages removed) - - Remove assignments on mode (definition removed, all usages removed) - - Remove assignments on psk_id_hash (definition removed, all usages removed) - - Remove assignments on info_hash (definition removed, all usages removed) - - Remove assignments on salt_3 (definition removed, all usages removed) - - Remove assignments on labeled_input (definition removed, all usages removed) - - Remove assignments on salt_4 (definition removed, all usages removed) - - Remove assignments on labeled_input_1 (definition removed, all usages removed) - - Remove assignments on label_5 (definition removed, all usages removed) - - Remove assignments on label_6 (definition removed, all usages removed) -yields - -Game 15 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - k <-R kemkey_t; - sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying equivalence prf(Extract_PRF) [probability P_PRF_Extract(time(context for game 15) + time, Nkey, Nkey)] - - Equivalence prf(Extract_PRF) with variables: k -> k_2 -yields - -Game 16 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - sec: extract_t <- (x: bitstring <- concat_PRF(RFCXXXX, suite_id, label_secret, default_psk); if defined(x, r_2) && {20}(x = x) then r_2 else r_2 <-R extract_t; r_2); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying simplify (non-expanded game) - - Simplification pass - - Replaced (x = x) with true at 20 -yields - -Game 17 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - sec: extract_t <- (x: bitstring <- concat_PRF(RFCXXXX, suite_id, label_secret, default_psk); {17}if defined(x, r_2) then r_2 else r_2 <-R extract_t; r_2); - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying expand - - Expand if/find/let - - Remove branch 1 in find at 17 - - Find at 17 removed (else branch kept if any) -yields - -Game 18 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - x: bitstring <- concat_PRF(RFCXXXX, suite_id, label_secret, default_psk); - r_2 <-R extract_t; - sec: extract_t <- r_2; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on x (definition removed, all usages removed) - - Remove assignments on sec (definition removed, all usages removed) -yields - -Game 19 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - r_2 <-R extract_t; - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk(Expand_PRF(r_2, labeledInfo)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(r_2, labeledInfo_1)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying equivalence prf(Expand_PRF) [probability P_PRF_Expand(time(context for game 19) + time, Nkey, 2 * #Oprf)] - - Equivalence prf(Expand_PRF) with variables: r_2 -> k_2 -yields - -Game 20 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk((x_1: bitstring <- labeledInfo; {116}find [unique] u_3 = ri_7 <= Nperkey suchthat defined(x_1[ri_7], r_3[ri_7]) && (x_1 = x_1[ri_7]) then r_3[u_3] orfind u_2 = ri_5 <= Nperkey suchthat defined(x_2[ri_5], r_4[ri_5]) && {137}(x_1 = x_2[ri_5]) then r_4[u_2] else r_3 <-R expand_t; r_3)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn((x_2: bitstring <- labeledInfo_1; {176}find [unique] u_1 = ri_3 <= Nperkey suchthat defined(x_1[ri_3], r_3[ri_3]) && {181}(x_2 = x_1[ri_3]) then r_3[u_1] orfind u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then r_4[u] else r_4 <-R expand_t; r_4)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying simplify (non-expanded game) - - Simplification pass - - Replaced (x_1 = x_2[ri_5]) with false at 137 - - Remove branch 2 in find at 116 - - Replaced (x_2 = x_1[ri_3]) with false at 181 - - Remove branch 1 in find at 176 -yields - -Game 21 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - key: key_t <- truncate_to_Nk((x_1: bitstring <- labeledInfo; find [unique] u_3 = ri_7 <= Nperkey suchthat defined(x_1[ri_7], r_3[ri_7]) && (x_1 = x_1[ri_7]) then r_3[u_3] else r_3 <-R expand_t; r_3)); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - base_nonce: nonce_t <- truncate_to_Nn((x_2: bitstring <- labeledInfo_1; find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then r_4[u] else r_4 <-R expand_t; r_4)); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying expand - - Expand if/find/let -yields - -Game 22 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - x_1: bitstring <- labeledInfo; - find [unique] u_3 = ri_7 <= Nperkey suchthat defined(x_1[ri_7], r_3[ri_7]) && (x_1 = x_1[ri_7]) then - key: key_t <- truncate_to_Nk(r_3[u_3]); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - x_2: bitstring <- labeledInfo_1; - find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_3 <-R expand_t; - key: key_t <- truncate_to_Nk(r_3); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - x_2: bitstring <- labeledInfo_1; - find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on x_1 (definition removed, all usages removed) - - Remove assignments on x_2 (definition kept, array references kept) - - Remove assignments on x_2 (definition kept, array references kept) -yields - -Game 23 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); -{110} find [unique] u_3 = ri_7 <= Nperkey suchthat defined(labeledInfo[ri_7], labeledInfo[ri_7], r_3[ri_7]) && {117}(labeledInfo = labeledInfo[ri_7]) then - key: key_t <- truncate_to_Nk(r_3[u_3]); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - x_2: bitstring <- labeledInfo_1; -{152} find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && {157}(labeledInfo_1 = x_2[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_3 <-R expand_t; - key: key_t <- truncate_to_Nk(r_3); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - x_2: bitstring <- labeledInfo_1; -{241} find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && {246}(labeledInfo_1 = x_2[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying simplify - - Simplification pass - - Replaced (labeledInfo_1 = x_2[ri_1]) with (info_hash = info_hash[ri_1]) at 246 - - Replaced defined condition x_2[ri_1], r_4[ri_1] with r_4[ri_1], info_hash[ri_1] in find at 241 - - Replaced (labeledInfo = labeledInfo[ri_7]) with (info_hash = info_hash[ri_7]) at 117 - - Replaced (labeledInfo_1 = x_2[ri_1]) with (info_hash = info_hash[ri_1]) at 157 - - Replaced defined condition x_2[ri_1], r_4[ri_1] with r_4[ri_1], info_hash[ri_1] in find at 152 - - Replaced defined condition labeledInfo[ri_7], labeledInfo[ri_7], r_3[ri_7] with r_3[ri_7], info_hash[ri_7] in find at 110 -yields - -Game 24 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - mode: mode_t <- mode_auth; - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); - label_8: label_expand_t <- label_key; - L_2: length_t <- Nk; - labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); - find [unique] u_3 = ri_7 <= Nperkey suchthat defined(r_3[ri_7], info_hash[ri_7]) && (info_hash = info_hash[ri_7]) then - key: key_t <- truncate_to_Nk(r_3[u_3]); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - x_2: bitstring <- labeledInfo_1; - find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_3 <-R expand_t; - key: key_t <- truncate_to_Nk(r_3); - label_9: label_expand_t <- label_base_nonce; - L_3: length_t <- Nn; - labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); - x_2: bitstring <- labeledInfo_1; - find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying move all binders - - Move assignment to x_2 - - Move assignment to labeledInfo_1 - - Move assignment to L_3 - - Move assignment to label_9 - - Move assignment to x_2 - - Move assignment to labeledInfo_1 - - Move assignment to L_3 - - Move assignment to label_9 - - Move assignment to labeledInfo - - Move assignment to L_2 - - Move assignment to label_8 - - Move assignment to key_schedule_context - - Move assignment to mode -yields - -Game 25 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - salt_3: cr_salt_t <- empty; - label_5: label_extract_t <- label_psk_id_hash; - labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); - psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - find [unique] u_3 = ri_7 <= Nperkey suchthat defined(r_3[ri_7], info_hash[ri_7]) && (info_hash = info_hash[ri_7]) then - key: key_t <- truncate_to_Nk(r_3[u_3]); - find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_3 <-R expand_t; - key: key_t <- truncate_to_Nk(r_3); - find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on psk_id_hash (definition removed, all usages removed) - - Remove assignments on salt_3 (definition removed, all usages removed) - - Remove assignments on labeled_input (definition removed, all usages removed) - - Remove assignments on label_5 (definition removed, all usages removed) -yields - -Game 26 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - {59} find [unique] u_3 = ri_7 <= Nperkey suchthat defined(r_3[ri_7], info_hash[ri_7]) && {64}(info_hash = info_hash[ri_7]) then - key: key_t <- truncate_to_Nk(r_3[u_3]); - find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_3 <-R expand_t; - key: key_t <- truncate_to_Nk(r_3); -{142} find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && {147}(info_hash = info_hash[ri_1]) then - base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - else - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying simplify [probability P_hashcoll(time + time(context for game 26))] - - Simplification pass - - Replaced (info_hash = info_hash[ri_1]) with (info_3 = info_3[ri_1]) at 147 - - Remove branch 1 in find at 142 - - Find at 142 removed (else branch kept if any) - - Replaced (info_hash = info_hash[ri_7]) with (info_3 = info_3[ri_7]) at 64 - - Remove branch 1 in find at 59 - - Find at 59 removed (else branch kept if any) -yields - -Game 27 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - r_3 <-R expand_t; - key: key_t <- truncate_to_Nk(r_3); - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying equivalence truncate(truncate_to_Nk) - - Equivalence truncate(truncate_to_Nk) with variables: r_3 -> h -yields - -Game 28 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - salt_4: cr_salt_t <- empty; - label_6: label_extract_t <- label_info_hash; - labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); - info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); - k_1 <-R key_t; - key: key_t <- k_1; - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(key, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on info_hash (definition removed, all usages removed) - - Remove assignments on key (definition removed, all usages removed) - - Remove assignments on salt_4 (definition removed, all usages removed) - - Remove assignments on labeled_input_1 (definition removed, all usages removed) - - Remove assignments on label_6 (definition removed, all usages removed) -yields - -Game 29 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - k_1 <-R key_t; - r_4 <-R expand_t; - base_nonce: nonce_t <- truncate_to_Nn(r_4); - r_1: keys_t <- concat(k_1, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying equivalence truncate(truncate_to_Nn) - - Equivalence truncate(truncate_to_Nn) with variables: r_4 -> h -yields - -Game 30 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - k_1 <-R key_t; - k_2 <-R nonce_t; - base_nonce: nonce_t <- k_2; - r_1: keys_t <- concat(k_1, base_nonce); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on base_nonce (definition removed, all usages removed) -yields - -Game 31 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - k_1 <-R key_t; - k_2 <-R nonce_t; - r_1: keys_t <- concat(k_1, k_2); - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying equivalence concat_random - - Equivalence concat_random with variables: k_2 -> k2, k_1 -> k1 -yields - -Game 32 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then - return(r_1[l_1]) - else - k_3 <-R keys_t; - r_1: keys_t <- k_3; - return(r_1) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying remove assignments of findcond - - Remove assignments on r_1 (definition removed, all usages removed) -yields - -Game 33 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - {16} find [unique] l_1 = l <= Nperkey suchthat defined(k_3[l], k_3[l], info_3[l]) && (info_3[l] = info_3) then - return(k_3[l_1]) - else - k_3 <-R keys_t; - return(k_3) - ) | ( - OH() := - return(cr_key_2) - )) - - -Applying simplify - - Simplification pass - - Replaced defined condition k_3[l], k_3[l], info_3[l] with k_3[l], info_3[l] in find at 16 -yields - -Game 34 is - Ostart() := - cr_key_2 <-R cr_key_t; - return(cr_key_2); - (( - foreach ikey <= Nkey do - Ok() := - return(); - foreach i <= Nperkey do - Oprf(info_3: bitstring) := - find [unique] l_1 = l <= Nperkey suchthat defined(k_3[l], info_3[l]) && (info_3[l] = info_3) then - return(k_3[l_1]) - else - k_3 <-R keys_t; - return(k_3) - ) | ( - OH() := - return(cr_key_2) - )) - - -Proved indistinguishability between game 34 and game 2 -Game 34 is the same as game 2. -Adv[Game 2: indistinguishability from game 2] <= 0 + Adv[Game 2: indistinguishability from game 2] -Adv[Game 2: indistinguishability from game 2] <= 0 -Adv[Game 1: indistinguishability from game 34] <= P_hashcoll(time_1) + P_PRF_Expand(time_2, Nkey, 2 * #Oprf) + P_PRF_Extract(time_3, Nkey, Nkey) + Adv[Game 34: indistinguishability from game 34] -Adv[Game 34: indistinguishability from game 34] <= 0 -RESULT Proved indistinguishability between game 1 and game 2 up to probability P_hashcoll(time_1) + P_PRF_Expand(time_2, Nkey, 2 * #Oprf) + P_PRF_Extract(time_3, Nkey, Nkey) -RESULT time_1 = time + time(context for game 26) -RESULT time_2 = time(context for game 19) + time -RESULT time_3 = time(context for game 15) + time -RESULT time(context for game 15) = Nkey * time(concat_PRF, length(default_psk)) + #Oprf * Nperkey * time(= bitstring, maxlength(game 15: info_3), maxlength(game 15: info_3)) + #Oprf * time(concat_CR, length(default_psk_id)) + #Oprf * time(Extract_CR, maxlength(game 15: labeled_input)) + #Oprf * time(concat_CR, maxlength(game 15: info_3)) + #Oprf * time(Extract_CR, maxlength(game 15: labeled_input_1)) + #Oprf * time(concat_KeySched) + #Oprf * time(truncate_to_Nk) + #Oprf * time(Expand_PRF, maxlength(game 15: labeledInfo)) + 2 * #Oprf * time(concat_Expand, maxlength(game 15: key_schedule_context)) + #Oprf * time(truncate_to_Nn) + #Oprf * time(Expand_PRF, maxlength(game 15: labeledInfo_1)) + #Oprf * time(concat) -RESULT time(context for game 19) = #Oprf * Nperkey * time(= bitstring, maxlength(game 19: info_3), maxlength(game 19: info_3)) + #Oprf * time(concat_CR, length(default_psk_id)) + #Oprf * time(Extract_CR, maxlength(game 19: labeled_input)) + #Oprf * time(concat_CR, maxlength(game 19: info_3)) + #Oprf * time(Extract_CR, maxlength(game 19: labeled_input_1)) + #Oprf * time(concat_KeySched) + #Oprf * time(truncate_to_Nk) + 2 * #Oprf * time(concat_Expand, maxlength(game 19: key_schedule_context)) + #Oprf * time(truncate_to_Nn) + #Oprf * time(concat) -RESULT time(context for game 26) = #Oprf * Nperkey * time(= bitstring, maxlength(game 26: info_3), maxlength(game 26: info_3)) + #Oprf * time(concat_CR, maxlength(game 26: info_3)) + #Oprf * time(Extract_CR, maxlength(game 26: labeled_input_1)) + #Oprf * time(truncate_to_Nk) + #Oprf * time(truncate_to_Nn) + #Oprf * time(concat) -All queries proved. +Initial state +Game 2 is + Ostart() := + cr_key_3 <-R cr_key_t; + return(cr_key_3); + (( + foreach ikey_1 <= Nkey do + Ok() := + return(); + foreach i_1 <= Nperkey do + Oprf(info_4: bitstring) := + find [unique?] j_1 = j <= Nperkey suchthat defined(info_4[j], r[j]) && (info_4[j] = info_4) then + return(r[j_1]) + else + r <-R keys_t; + return(r) + ) | ( + OH() := + return(cr_key_3) + )) + + +Applying expand get, insert and prove unique annotations + - Proved that [unique] annotations are correct +yields + +Game 3 is + Ostart() := + cr_key_3 <-R cr_key_t; + return(cr_key_3); + (( + foreach ikey_1 <= Nkey do + Ok() := + return(); + foreach i_1 <= Nperkey do + Oprf(info_4: bitstring) := + find [unique] j_1 = j <= Nperkey suchthat defined(info_4[j], r[j]) && (info_4[j] = info_4) then + return(r[j_1]) + else + r <-R keys_t; + return(r) + ) | ( + OH() := + return(cr_key_3) + )) + +Initial state +Game 1 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + return((mode: mode_t <- mode_auth; psk: bitstring <- default_psk; psk_id: bitstring <- default_psk_id; psk_id_hash: cr_output_t <- (salt_3: cr_salt_t <- empty; label_5: label_extract_t <- label_psk_id_hash; labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); Extract_CR(cr_key_2, salt_3, labeled_input)); info_hash: cr_output_t <- (salt_4: cr_salt_t <- empty; label_6: label_extract_t <- label_info_hash; labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); Extract_CR(cr_key_2, salt_4, labeled_input_1)); key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); secrett: extract_t <- (label_7: label_extract_t <- label_secret; IKM: bitstring <- psk; labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, IKM); Extract_PRF(k, labeled_IKM)); key: key_t <- (label_8: label_expand_t <- label_key; L_2: length_t <- Nk; truncate_to_Nk((labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); Expand_PRF(secrett, labeledInfo)))); base_nonce: nonce_t <- (label_9: label_expand_t <- label_base_nonce; L_3: length_t <- Nn; truncate_to_Nn((labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); Expand_PRF(secrett, labeledInfo_1)))); concat(key, base_nonce))) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 4 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + psk: bitstring <- default_psk; + psk_id: bitstring <- default_psk_id; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_7: label_extract_t <- label_secret; + IKM: bitstring <- psk; + labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, IKM); + secrett: extract_t <- Extract_PRF(k, labeled_IKM); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on IKM (definition removed, all usages removed) +yields + +Game 5 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + psk: bitstring <- default_psk; + psk_id: bitstring <- default_psk_id; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_7: label_extract_t <- label_secret; + labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, psk); + secrett: extract_t <- Extract_PRF(k, labeled_IKM); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of binder psk + - Remove assignments on psk (definition removed, all usages removed) +yields + +Game 6 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + psk_id: bitstring <- default_psk_id; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_7: label_extract_t <- label_secret; + labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, default_psk); + secrett: extract_t <- Extract_PRF(k, labeled_IKM); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of binder psk_id + - Remove assignments on psk_id (definition removed, all usages removed) +yields + +Game 7 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_7: label_extract_t <- label_secret; + labeled_IKM: bitstring <- concat_PRF(RFCXXXX, suite_id, label_7, default_psk); + secrett: extract_t <- Extract_PRF(k, labeled_IKM); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of binder labeled_IKM + - Remove assignments on labeled_IKM (definition removed, all usages removed) +yields + +Game 8 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_7: label_extract_t <- label_secret; + secrett: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_7, default_psk)); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of binder label_7 + - Remove assignments on label_7 (definition removed, all usages removed) +yields + +Game 9 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + {11} return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying insert instruction sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)) at occurrence 11 +yields + +Game 10 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- {84}Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying use variable(s) sec + - Use variable sec + - Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)) replaced with sec at 84 +yields + +Game 11 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + {26} mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying insert instruction find [unique] l_1 = l <= Nperkey suchthat + defined(else_br[l], info_3[l]) + && (info_3[l] = info_3) + then else else_br <- true at occurrence 26 +yields + +Game 12 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(else_br[l], info_3[l]) && (info_3[l] = info_3) then + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + else + else_br: bool <- true; + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); +{293} return(concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying insert instruction r_1 <- concat(key, base_nonce) at occurrence 293 +yields + +Game 13 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(else_br[l], info_3[l]) && (info_3[l] = info_3) then + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(concat(key, base_nonce)) + else + else_br: bool <- true; + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return({303}concat(key, base_nonce)) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying use variable(s) r_1 + - Use variable r_1 + - concat(key, base_nonce) replaced with r_1 at 303 +yields + +Game 14 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(else_br[l], info_3[l]) && (info_3[l] = info_3) then + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return({152}concat(key, base_nonce)) + else + else_br: bool <- true; + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying replace term at occurrence 152 with r_1[l_1] +yields + +Game 15 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + return(r_1[l_1]) + else + else_br: bool <- true; + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + secrett: extract_t <- sec; + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(secrett, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(secrett, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on else_br (definition removed, all usages removed) + - Remove assignments on secrett (definition removed, all usages removed) + - Remove assignments on secrett (definition removed, all usages removed) + - Remove assignments on key (definition removed, all usages removed) + - Remove assignments on base_nonce (definition removed, all usages removed) + - Remove assignments on labeledInfo (definition removed, all usages removed) + - Remove assignments on labeledInfo_1 (definition removed, all usages removed) + - Remove assignments on key_schedule_context (definition removed, all usages removed) + - Remove assignments on label_8 (definition removed, all usages removed) + - Remove assignments on L_2 (definition removed, all usages removed) + - Remove assignments on label_9 (definition removed, all usages removed) + - Remove assignments on L_3 (definition removed, all usages removed) + - Remove assignments on mode (definition removed, all usages removed) + - Remove assignments on psk_id_hash (definition removed, all usages removed) + - Remove assignments on info_hash (definition removed, all usages removed) + - Remove assignments on salt_3 (definition removed, all usages removed) + - Remove assignments on labeled_input (definition removed, all usages removed) + - Remove assignments on salt_4 (definition removed, all usages removed) + - Remove assignments on labeled_input_1 (definition removed, all usages removed) + - Remove assignments on label_5 (definition removed, all usages removed) + - Remove assignments on label_6 (definition removed, all usages removed) +yields + +Game 16 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + k <-R kemkey_t; + sec: extract_t <- Extract_PRF(k, concat_PRF(RFCXXXX, suite_id, label_secret, default_psk)); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying equivalence prf(Extract_PRF) [probability P_PRF_Extract(time_1, Nkey, Nkey)] + - Equivalence prf(Extract_PRF) with variables: k -> k_2 +yields + +Game 17 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + sec: extract_t <- (x: bitstring <- concat_PRF(RFCXXXX, suite_id, label_secret, default_psk); {17}find [unique] else r_2 <-R extract_t; r_2); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying simplify (non-expanded game) + - Simplification pass + - Find at 17 removed (else branch kept if any) +yields + +Game 18 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + sec: extract_t <- (x: bitstring <- concat_PRF(RFCXXXX, suite_id, label_secret, default_psk); r_2 <-R extract_t; r_2); + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 19 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + x: bitstring <- concat_PRF(RFCXXXX, suite_id, label_secret, default_psk); + r_2 <-R extract_t; + sec: extract_t <- r_2; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(sec, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(sec, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on x (definition removed, all usages removed) + - Remove assignments on sec (definition removed, all usages removed) +yields + +Game 20 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + r_2 <-R extract_t; + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk(Expand_PRF(r_2, labeledInfo)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn(Expand_PRF(r_2, labeledInfo_1)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying equivalence prf(Expand_PRF) [probability P_PRF_Expand(time_2, Nkey, 2 * #Oprf)] + - Equivalence prf(Expand_PRF) with variables: r_2 -> k_2 +yields + +Game 21 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk((x_1: bitstring <- labeledInfo; {116}find [unique] u_3 = ri_7 <= Nperkey suchthat defined(x_1[ri_7], r_3[ri_7]) && (x_1 = x_1[ri_7]) then r_3[u_3] orfind u_2 = ri_5 <= Nperkey suchthat defined(x_2[ri_5], r_4[ri_5]) && {137}(x_1 = x_2[ri_5]) then r_4[u_2] else r_3 <-R expand_t; r_3)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn((x_2: bitstring <- labeledInfo_1; {176}find [unique] u_1 = ri_3 <= Nperkey suchthat defined(x_1[ri_3], r_3[ri_3]) && {181}(x_2 = x_1[ri_3]) then r_3[u_1] orfind u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then r_4[u] else r_4 <-R expand_t; r_4)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying simplify (non-expanded game) + - Simplification pass + - Replaced (x_1 = x_2[ri_5]) with false at 137 + - Remove branch 2 in find at 116 + - Replaced (x_2 = x_1[ri_3]) with false at 181 + - Remove branch 1 in find at 176 +yields + +Game 22 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + key: key_t <- truncate_to_Nk((x_1: bitstring <- labeledInfo; find [unique] u_3 = ri_7 <= Nperkey suchthat defined(x_1[ri_7], r_3[ri_7]) && (x_1 = x_1[ri_7]) then r_3[u_3] else r_3 <-R expand_t; r_3)); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + base_nonce: nonce_t <- truncate_to_Nn((x_2: bitstring <- labeledInfo_1; find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then r_4[u] else r_4 <-R expand_t; r_4)); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying expand + - Expand if/find/let +yields + +Game 23 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + x_1: bitstring <- labeledInfo; + find [unique] u_3 = ri_7 <= Nperkey suchthat defined(x_1[ri_7], r_3[ri_7]) && (x_1 = x_1[ri_7]) then + key: key_t <- truncate_to_Nk(r_3[u_3]); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + x_2: bitstring <- labeledInfo_1; + find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_3 <-R expand_t; + key: key_t <- truncate_to_Nk(r_3); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + x_2: bitstring <- labeledInfo_1; + find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && (x_2 = x_2[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on x_1 (definition removed, all usages removed) + - Remove assignments on x_2 (definition kept, array references kept) + - Remove assignments on x_2 (definition kept, array references kept) +yields + +Game 24 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); +{110} find [unique] u_3 = ri_7 <= Nperkey suchthat defined(labeledInfo[ri_7], r_3[ri_7]) && {115}(labeledInfo = labeledInfo[ri_7]) then + key: key_t <- truncate_to_Nk(r_3[u_3]); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + x_2: bitstring <- labeledInfo_1; +{150} find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && {155}(labeledInfo_1 = x_2[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_3 <-R expand_t; + key: key_t <- truncate_to_Nk(r_3); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + x_2: bitstring <- labeledInfo_1; +{239} find [unique] u = ri_1 <= Nperkey suchthat defined(x_2[ri_1], r_4[ri_1]) && {244}(labeledInfo_1 = x_2[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying simplify + - Simplification pass + - Replaced (labeledInfo_1 = x_2[ri_1]) with (info_hash = info_hash[ri_1]) at 244 + - Replaced defined condition x_2[ri_1], r_4[ri_1] with r_4[ri_1], info_hash[ri_1] in find at 239 + - Replaced (labeledInfo = labeledInfo[ri_7]) with (info_hash = info_hash[ri_7]) at 115 + - Replaced (labeledInfo_1 = x_2[ri_1]) with (info_hash = info_hash[ri_1]) at 155 + - Replaced defined condition x_2[ri_1], r_4[ri_1] with r_4[ri_1], info_hash[ri_1] in find at 150 + - Replaced defined condition labeledInfo[ri_7], r_3[ri_7] with r_3[ri_7], info_hash[ri_7] in find at 110 +yields + +Game 25 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + mode: mode_t <- mode_auth; + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + key_schedule_context: bitstring <- concat_KeySched(mode, psk_id_hash, info_hash); + label_8: label_expand_t <- label_key; + L_2: length_t <- Nk; + labeledInfo: bitstring <- concat_Expand(L_2, RFCXXXX, suite_id, label_8, key_schedule_context); + find [unique] u_3 = ri_7 <= Nperkey suchthat defined(r_3[ri_7], info_hash[ri_7]) && (info_hash = info_hash[ri_7]) then + key: key_t <- truncate_to_Nk(r_3[u_3]); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + x_2: bitstring <- labeledInfo_1; + find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_3 <-R expand_t; + key: key_t <- truncate_to_Nk(r_3); + label_9: label_expand_t <- label_base_nonce; + L_3: length_t <- Nn; + labeledInfo_1: bitstring <- concat_Expand(L_3, RFCXXXX, suite_id, label_9, key_schedule_context); + x_2: bitstring <- labeledInfo_1; + find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying move all binders + - Move assignment to x_2 + - Move assignment to labeledInfo_1 + - Move assignment to L_3 + - Move assignment to label_9 + - Move assignment to x_2 + - Move assignment to labeledInfo_1 + - Move assignment to L_3 + - Move assignment to label_9 + - Move assignment to labeledInfo + - Move assignment to L_2 + - Move assignment to label_8 + - Move assignment to key_schedule_context + - Move assignment to mode +yields + +Game 26 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + salt_3: cr_salt_t <- empty; + label_5: label_extract_t <- label_psk_id_hash; + labeled_input: bitstring <- concat_CR(RFCXXXX, suite_id, label_5, default_psk_id); + psk_id_hash: cr_output_t <- Extract_CR(cr_key_2, salt_3, labeled_input); + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + find [unique] u_3 = ri_7 <= Nperkey suchthat defined(r_3[ri_7], info_hash[ri_7]) && (info_hash = info_hash[ri_7]) then + key: key_t <- truncate_to_Nk(r_3[u_3]); + find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_3 <-R expand_t; + key: key_t <- truncate_to_Nk(r_3); + find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on psk_id_hash (definition removed, all usages removed) + - Remove assignments on salt_3 (definition removed, all usages removed) + - Remove assignments on labeled_input (definition removed, all usages removed) + - Remove assignments on label_5 (definition removed, all usages removed) +yields + +Game 27 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + {59} find [unique] u_3 = ri_7 <= Nperkey suchthat defined(r_3[ri_7], info_hash[ri_7]) && {64}(info_hash = info_hash[ri_7]) then + key: key_t <- truncate_to_Nk(r_3[u_3]); + find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && (info_hash = info_hash[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_3 <-R expand_t; + key: key_t <- truncate_to_Nk(r_3); +{142} find [unique] u = ri_1 <= Nperkey suchthat defined(r_4[ri_1], info_hash[ri_1]) && {147}(info_hash = info_hash[ri_1]) then + base_nonce: nonce_t <- truncate_to_Nn(r_4[u]); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + else + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying simplify [probability P_hashcoll(time_3)] + - Simplification pass + - Replaced (info_hash = info_hash[ri_1]) with (info_3 = info_3[ri_1]) at 147 + - Remove branch 1 in find at 142 + - Find at 142 removed (else branch kept if any) + - Replaced (info_hash = info_hash[ri_7]) with (info_3 = info_3[ri_7]) at 64 + - Remove branch 1 in find at 59 + - Find at 59 removed (else branch kept if any) +yields + +Game 28 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + r_3 <-R expand_t; + key: key_t <- truncate_to_Nk(r_3); + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying equivalence truncate(truncate_to_Nk) + - Equivalence truncate(truncate_to_Nk) with variables: r_3 -> h +yields + +Game 29 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + salt_4: cr_salt_t <- empty; + label_6: label_extract_t <- label_info_hash; + labeled_input_1: bitstring <- concat_CR(RFCXXXX, suite_id, label_6, info_3); + info_hash: cr_output_t <- Extract_CR(cr_key_2, salt_4, labeled_input_1); + k_1 <-R key_t; + key: key_t <- k_1; + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(key, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on info_hash (definition removed, all usages removed) + - Remove assignments on key (definition removed, all usages removed) + - Remove assignments on salt_4 (definition removed, all usages removed) + - Remove assignments on labeled_input_1 (definition removed, all usages removed) + - Remove assignments on label_6 (definition removed, all usages removed) +yields + +Game 30 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + k_1 <-R key_t; + r_4 <-R expand_t; + base_nonce: nonce_t <- truncate_to_Nn(r_4); + r_1: keys_t <- concat(k_1, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying equivalence truncate(truncate_to_Nn) + - Equivalence truncate(truncate_to_Nn) with variables: r_4 -> h +yields + +Game 31 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + k_1 <-R key_t; + k_2 <-R nonce_t; + base_nonce: nonce_t <- k_2; + r_1: keys_t <- concat(k_1, base_nonce); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on base_nonce (definition removed, all usages removed) +yields + +Game 32 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + k_1 <-R key_t; + k_2 <-R nonce_t; + r_1: keys_t <- concat(k_1, k_2); + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying equivalence concat_random + - Equivalence concat_random with variables: k_2 -> k2, k_1 -> k1 +yields + +Game 33 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(r_1[l], info_3[l]) && (info_3[l] = info_3) then + return(r_1[l_1]) + else + k_3 <-R keys_t; + r_1: keys_t <- k_3; + return(r_1) + ) | ( + OH() := + return(cr_key_2) + )) + + +Applying remove assignments of findcond + - Remove assignments on r_1 (definition removed, all usages removed) +yields + +Game 34 is + Ostart() := + cr_key_2 <-R cr_key_t; + return(cr_key_2); + (( + foreach ikey <= Nkey do + Ok() := + return(); + foreach i <= Nperkey do + Oprf(info_3: bitstring) := + find [unique] l_1 = l <= Nperkey suchthat defined(k_3[l], info_3[l]) && (info_3[l] = info_3) then + return(k_3[l_1]) + else + k_3 <-R keys_t; + return(k_3) + ) | ( + OH() := + return(cr_key_2) + )) + + +Proved indistinguishability between game 34 and game 2 +Game 34 is the same as game 3. +Adv[Game 2: indistinguishability from game 3] <= 0 + Adv[Game 3: indistinguishability from game 3] +Adv[Game 3: indistinguishability from game 3] <= 0 +Adv[Game 1: indistinguishability from game 34] <= P_hashcoll(time_3) + P_PRF_Expand(time_2, Nkey, 2 * #Oprf) + P_PRF_Extract(time_1, Nkey, Nkey) + Adv[Game 34: indistinguishability from game 34] +Adv[Game 34: indistinguishability from game 34] <= 0 +RESULT Proved indistinguishability between game 1 and game 2 up to probability P_hashcoll(time_3) + P_PRF_Expand(time_2, Nkey, 2 * #Oprf) + P_PRF_Extract(time_1, Nkey, Nkey) +RESULT time_1 = time + time(context for game 16) = Nkey * time(concat_PRF, length(default_psk)) + #Oprf * Nperkey * time(= bitstring, maxlength(game 16: info_3), maxlength(game 16: info_3)) + #Oprf * time(concat_CR, length(default_psk_id)) + #Oprf * time(Extract_CR, maxlength(game 16: labeled_input)) + #Oprf * time(concat_CR, maxlength(game 16: info_3)) + #Oprf * time(Extract_CR, maxlength(game 16: labeled_input_1)) + #Oprf * time(concat_KeySched) + #Oprf * time(truncate_to_Nk) + #Oprf * time(Expand_PRF, maxlength(game 16: labeledInfo)) + 2 * #Oprf * time(concat_Expand, maxlength(game 16: key_schedule_context)) + #Oprf * time(truncate_to_Nn) + #Oprf * time(Expand_PRF, maxlength(game 16: labeledInfo_1)) + #Oprf * time(concat) + time +RESULT time_2 = time + time(context for game 20) = #Oprf * Nperkey * time(= bitstring, maxlength(game 20: info_3), maxlength(game 20: info_3)) + #Oprf * time(concat_CR, length(default_psk_id)) + #Oprf * time(Extract_CR, maxlength(game 20: labeled_input)) + #Oprf * time(concat_CR, maxlength(game 20: info_3)) + #Oprf * time(Extract_CR, maxlength(game 20: labeled_input_1)) + #Oprf * time(concat_KeySched) + #Oprf * time(truncate_to_Nk) + 2 * #Oprf * time(concat_Expand, maxlength(game 20: key_schedule_context)) + #Oprf * time(truncate_to_Nn) + #Oprf * time(concat) + time +RESULT time_3 = time + time(game 27) = time + #Oprf * Nperkey * time(= bitstring, maxlength(game 27: info_3), maxlength(game 27: info_3)) + #Oprf * time(concat_CR, maxlength(game 27: info_3)) + #Oprf * time(Extract_CR, maxlength(game 27: labeled_input_1)) + #Oprf * time(truncate_to_Nk) + #Oprf * time(truncate_to_Nn) + #Oprf * time(concat) +All queries proved. diff --git a/lib.gdh.ocvl b/lib.gdh.ocvl index 280d4e7..eb6ea23 100644 --- a/lib.gdh.ocvl +++ b/lib.gdh.ocvl @@ -23,8 +23,8 @@ def GDH_RSR_minimal(G, Z, g, exp, mult, pGDH, pDistRerandom) { negligible probability, even in the presence of a decision DH oracle DH(A,B,C) tells whether A = g^a, C = B^a for some a. *) -param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDDH6, naDDH7, naDDH8, naDH9, - nb, nbDDH, nbDDH1, nbDDH2, nbDDH3, nbDDH4, nbDDH5, nbDDH6, nbDDH7, nbDDH8, nbDH9. +param na, naeq, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDDH6, naDDH7, naDDH8, naDH9, + nb, nbeq, nbDDH, nbDDH1, nbDDH2, nbDDH3, nbDDH4, nbDDH5, nbDDH6, nbDDH7, nbDDH8, nbDH9. (* In the code below: - oracles OA and OB give the public Diffie-Hellman keys to the adversary @@ -34,21 +34,28 @@ param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDDH6, naDDH7, naDDH8, using exp(g,a), since exp(g,a) is not a subterm of exp(g, mult(a,x)). - Oracles ODDHa1, ODDHa, ODDHa8, ODDHb1, ODDHb, ODDHb8 are instances of the decision DH oracle. - ODDHa1(m,m') = DH(exp(g,a), m', m) - ODDHa(m,j) = DH(exp(g,a), exp(g,b[j]), m) + ODDHa1[i](m,m') = DH_a(i, m', m) + ODDHa8[i](m,j) = DH_a(i, exp(g,a[j]), m) + ODDHb1[i](m,m') = DH_b(i, m', m) + ODDHb8[i](m,j) = DH_b(i, exp(g,b[j]), m) + where DH_a(i, m', m) = (m'^a[i] = m) + DH_b(i, m', m) = (m'^b[i] = m) + + ODDHa[i](m,j) = DH_l(i, j, m) and in this case we can apply the CDH assumption and replace the result with "false" in the right-hand side - ODDHa8(m,j) = DH(exp(g,a), exp(g,a[j]), m) - ODDHb1(m,m') = DH(exp(g,b), m', m) - ODDHb(m,j) = DH(exp(g,b), exp(g,a[j]), m) + ODDHb[i](m,j) = DH_1(j, i, m) and in this case we can apply the CDH assumption and replace the result with "false" in the right-hand side - ODDHb8(m,j) = DH(exp(g,b), exp(g,b[j]), m) *) equiv(gdh(exp)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | + (* We put the oracle above before ODDHa1, so that ODDHa1 is not used when m' = g, + which would lead to additional calls to the DDH oracle when in fact + we can simply compare with the public key *) foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=nb) [useful_change] := return(m = exp(g, mult(b[j], a))) | foreach iaDDH8 <= naDDH8 do ODDHa8(m:G,j<=na) [3] := return(m = exp(g,mult(a[j], a))) | @@ -56,17 +63,19 @@ equiv(gdh(exp)) ) | foreach ib <= nb do b <-R Z; ( OB() := return(exp(g,b)) | + foreach ibeq <= nbeq do OBeq(m:G) := return(m = exp(g,b)) | foreach ibDDH1 <= nbDDH1 do ODDHb1(m:G, m':G) := return(m = exp(m', b)) | foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := return(m = exp(g, mult(a[j], b))) | foreach ibDDH8 <= nbDDH8 do ODDHb8(m:G,j<=nb) [3] := return(m = exp(g,mult(b[j], b))) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) ) -<=(pGDH(time + (na + nb + 1) * time(exp), +<=(pGDH(time + (na + nb + 1 + #ODHa9 + #ODHb9) * time(exp), #ODDHa + #ODDHa1 + #ODDHa8 + #ODDHb + #ODDHb1 + #ODDHb8) + (na + nb) * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp(g,a)) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=nb) := return(false) | foreach iaDDH8 <= naDDH8 do ODDHa8(m:G,j<=na) [3] := return(m = exp(g,mult(a[j], a))) | @@ -74,6 +83,7 @@ equiv(gdh(exp)) ) | foreach ib <= nb do b <-R Z [unchanged]; ( OB() := return(exp(g,b)) | + foreach ibeq <= nbeq do OBeq(m:G) := return(m = exp(g,b)) | foreach ibDDH1 <= nbDDH1 do ODDHb1(m:G, m':G) := return(m = exp(m', b)) | foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := return(false) | foreach ibDDH8 <= nbDDH8 do ODDHb8(m:G,j<=nb) [3] := return(m = exp(g,mult(b[j], b))) | @@ -91,7 +101,7 @@ def square_GDH_RSR_minimal(G, Z, g, exp, mult, pSQGDH, pDistRerandom) { negligible probability, even in the presence of a decision DH oracle DH(A,B,C) tells whether A = g^a, C = B^a for some a. *) -param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. +param na, naeq, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. (* In the code below: - oracle OA gives the public Diffie-Hellman keys to the adversary @@ -100,8 +110,8 @@ param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. CryptoVerif would not detect that exp(g, mult(a,x)) can be computed using exp(g,a), since exp(g,a) is not a subterm of exp(g, mult(a,x)). - Oracles ODDHa1 and ODDHa are instances of the decision DH oracle. - ODDHa1(m,m') = DH(exp(g,a), m', m) - ODDHa(m,j) = DH(exp(g,a), exp(g,a[j]), m) + ODDHa1[i](m,m') = DH_0(exp(g,a[i]), m', m) + ODDHa[i](m,j) = DH_l(i, j, m) and in this case we can apply the CDH assumption and replace the result with "false" in the right-hand side *) @@ -109,13 +119,18 @@ param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. equiv(gdh(exp)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | + (* We put the oracle above before ODDHa1, so that ODDHa1 is not used when m' = g, + which would lead to additional calls to the DDH oracle when in fact + we can simply compare with the public key *) foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) [useful_change] := return(m = exp(g, mult(a[j], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(pSQGDH(time + (na+1) * time(exp), #ODDHa + #ODDHa1) + na * pDistRerandom)=> [computational] +<=(pSQGDH(time + (na+1 + #ODHa9) * time(exp), #ODDHa + #ODDHa1) + na * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp(g,a)) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) := return(false) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp(g, mult(a, x))) diff --git a/lib.ocvl b/lib.ocvl index c5f46c5..3329c18 100644 --- a/lib.ocvl +++ b/lib.ocvl @@ -1,3 +1,49 @@ +(************************************************************* + * * + * Cryptographic protocol verifier * + * * + * Bruno Blanchet and David Cadé * + * * + * Copyright (C) ENS, CNRS, INRIA, 2005-2021 * + * * + *************************************************************) + +(* + + Copyright ENS, CNRS, INRIA + contributors: Bruno Blanchet, Bruno.Blanchet@inria.fr + David Cadé + +This software is a computer program whose purpose is to verify +cryptographic protocols in the computational model. + +This software is governed by the CeCILL-B license under French law and +abiding by the rules of distribution of free software. You can use, +modify and/ or redistribute the software under the terms of the CeCILL-B +license as circulated by CEA, CNRS and INRIA at the following URL +"http://www.cecill.info". + +As a counterpart to the access to the source code and rights to copy, +modify and redistribute granted by the license, users are provided only +with a limited warranty and the software's author, the holder of the +economic rights, and the successive licensors have only limited +liability. + +In this respect, the user's attention is drawn to the risks associated +with loading, using, modifying and/or developing or reproducing the +software by the user in light of its specific status of free software, +that may mean that it is complicated to manipulate, and that also +therefore means that it is reserved for developers and experienced +professionals having in-depth computer knowledge. Users are therefore +encouraged to load and test the software's suitability as regards their +requirements in conditions enabling the security of their systems and/or +data to be ensured and, more generally, to use and operate it in the +same conditions as regards security. + +The fact that you are presently reading this means that you have had +knowledge of the CeCILL-B license and that you accept its terms. + +*) equation forall x:bool; not(not(x)) = x. equation forall x:bool,y:bool; (not(x && y)) = (not(x) || not(y)). equation forall x:bool,y:bool; (not(x || y)) = (not(x) && not(y)). @@ -2015,26 +2061,31 @@ equation forall m:cleartext, r:keyseed, r2:enc_seed; equation forall m:cleartext, r:keyseed, r2:enc_seed; dec2(enc_r2(m, pkgen2(r), r2), skgen2(r)) = injbot(m). +table cipher(N3,cleartext,ciphertext). + equiv(ind_cca2(enc)) foreach i3 <= N3 do r <-R keyseed; ( Opk() [2] := return(pkgen(r)) | foreach i2 <= N2 do Odec(m:ciphertext) := return(dec(m, skgen(r))) | foreach i <= N do r1 <-R enc_seed; Oenc(x1:cleartext) := return(enc_r(x1, pkgen(r),r1))) | foreach i4 <= N4 do r2 <-R enc_seed; Oenc2(x:cleartext, y:pkey) [3] := return(enc_r(x,y,r2)) [all] - <=(N3 * (N + N4) * Penc(time + (N4+N-1) * time(enc_r, max(maxlength(x),maxlength(x1))) + (N3-1)*(time(pkgen) + time(skgen) + N2 * time(dec, maxlength(m)) + N * time(enc_r, max(maxlength(x),maxlength(x1)))), N2) + 0.5 * N3 * (N3-1) * Penccoll)=> + <=(N3 * (N + N4) * Penc(time + (N4+N-1) * time(enc_r, max(maxlength(x),maxlength(x1))) + (N3-1)*(time(pkgen) + time(skgen) + N2 * time(dec, maxlength(m)) + N * time(enc_r, max(maxlength(x),maxlength(x1)))), N2))=> foreach i3 <= N3 do r <-R keyseed; ( Opk() := return(pkgen2(r)) | foreach i2 <= N2 do Odec(m:ciphertext) := - find j <= N suchthat defined(m1[j],x1[j]) && m = m1[j] then return(injbot(x1[j])) - orfind j <= N4 suchthat defined(m2[j],y[j],x[j]) && - y[j] = pkgen2(r) && m = m2[j] then return(injbot(x[j])) else return(dec2(m, skgen2(r))) | + get cipher(=i3, x, =m) in + return(injbot(x)) + else + return(dec2(m, skgen2(r))) | foreach i <= N do r1 <-R enc_seed; Oenc(x1:cleartext) := - m1:ciphertext <- enc_r2(Z(x1), pkgen2(r), r1); + m1 <- enc_r2(Z(x1), pkgen2(r), r1); + insert cipher(i3, x1, m1); return(m1)) | foreach i4 <= N4 do Oenc2(x:cleartext, y:pkey) := find k <= N3 suchthat defined(r[k]) && y = pkgen2(r[k]) then (r2 <-R enc_seed; - m2:ciphertext <- enc_r2(Z(x), y, r2); + m2 <- enc_r2(Z(x), y, r2); + insert cipher(k, x, m2); return(m2)) else r3 <-R enc_seed; return(enc_r(x,y,r3)). @@ -2044,6 +2095,8 @@ equiv(ind_cca2(enc)) It renames only the encryption function symbol for the occurrences that are transformed, so it can be applied again to other occurrences. *) +table cipher1(cleartext, ciphertext). + equiv(ind_cca2_partial(enc)) r <-R keyseed; ( Opk() := return(pkgen(r)) | @@ -2053,10 +2106,11 @@ equiv(ind_cca2_partial(enc)) r <-R keyseed; ( Opk() := return(pkgen(r)) | foreach i2 <= N2 do Odec(m:ciphertext) := - find j <= N suchthat defined(m1[j],x1[j]) && m = m1[j] then return(injbot(x1[j])) else + get cipher1(x, =m) in return(injbot(x)) else return(dec(m, skgen(r))) | foreach i <= N do r1 <-R enc_seed; Oenc(x1:cleartext) := - m1:ciphertext <- enc_r2(Z(x1), pkgen(r), r1); + m1 <- enc_r2(Z(x1), pkgen(r), r1); + insert cipher1(x1, m1); return(m1)). collision r1 <-R keyseed; r2 <-R keyseed; @@ -3399,12 +3453,12 @@ equiv(cdh(exp)) foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := return(m = exp(g, mult(a[j], b))) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) ) -<=((naDDH + nbDDH) * na * nb * pCDH(time + (na + nb + #ODDHa + #ODDHb - 3) * time(exp)))=> [computational] +<=((naDDH + nbDDH) * na * nb * pCDH(time + (na + nb + #ODDHa + #ODDHb - 3 + #ODHa9 + #ODHb9) * time(exp)))=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp'(g,a)) | Oa() := let ka:bool = true in return(a) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=nb) := - find u<=nb suchthat defined(kb[u],b[u]) && b[j] = b[u] then return(m = exp'(g, mult(b[j], a))) else + if defined(kb[j]) then return(m = exp'(g, mult(b[j], a))) else if defined(ka) then return(m = exp'(g, mult(b[j], a))) else return(false) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) ) | @@ -3412,13 +3466,45 @@ equiv(cdh(exp)) OB() := return(exp'(g,b)) | Ob() := let kb:bool = true in return(b) | foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := - find u<=na suchthat defined(ka[u],a[u]) && a[j] = a[u] then return(m = exp'(g, mult(a[j], b))) else + if defined(ka[j]) then return(m = exp'(g, mult(a[j], b))) else if defined(kb) then return(m = exp'(g, mult(a[j], b))) else return(false) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) := return(exp'(g, mult(b, x))) ). } +(* Same as CDH, but with a single family of exponents instead of two. + More powerful, but may lead to a higher probability. *) + +def CDH_single(G, Z, g, exp, exp', mult, pCDH) { + +(* the CDH assumption *) + +param na, naDDH, naDH9. + +event square. + +equiv(cdh(exp)) + foreach ia <= na do a <-R Z; ( + OA() := return(exp(g,a)) | + Oa() [10] := return(a) | + foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) [useful_change] := return(m = exp(g, mult(a[j], a))) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) + ) +<=(naDDH * na * (na-1) * pCDH(time + (na + #ODDHa - 3 + #ODHa9) * time(exp)))=> [computational] + foreach ia <= na do a <-R Z [unchanged]; ( + OA() := return(exp'(g,a)) | + Oa() := let ka:bool = true in return(a) | + foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) := + if defined(ka[j]) then return(m = exp'(g, mult(a[j], a))) else + if defined(ka) then return(m = exp'(g, mult(a[j], a))) else + if j = ia then event_abort square else + return(false) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) + ). + +} + (* Variant of CDH with random self reducibility. It may yield lower probabilities but requires the rerandomization to be feasible. @@ -3454,12 +3540,12 @@ equiv(cdh(exp)) foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := return(m = exp(g, mult(a[j], b))) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) ) -<=((#ODDHa + #ODDHb) * max(1, 4*#Oa) * max(1, 4*#Ob) * pCDH(time + (na + nb + #ODDHa + #ODDHb + 1) * time(exp)) + (na + nb) * pDistRerandom)=> [computational] +<=((#ODDHa + #ODDHb) * max(1, 4*#Oa) * max(1, 4*#Ob) * pCDH(time + (na + nb + #ODDHa + #ODDHb + 1 + #ODHa9 + #ODHb9) * time(exp)) + (na + nb) * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp'(g,a)) | Oa() := let ka:bool = true in return(a) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=nb) := - find u<=nb suchthat defined(kb[u],b[u]) && b[j] = b[u] then return(m = exp'(g, mult(b[j], a))) else + if defined(kb[j]) then return(m = exp'(g, mult(b[j], a))) else if defined(ka) then return(m = exp'(g, mult(b[j], a))) else return(false) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) ) | @@ -3467,13 +3553,46 @@ equiv(cdh(exp)) OB() := return(exp'(g,b)) | Ob() := let kb:bool = true in return(b) | foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := - find u<=na suchthat defined(ka[u],a[u]) && a[j] = a[u] then return(m = exp'(g, mult(a[j], b))) else + if defined(ka[j]) then return(m = exp'(g, mult(a[j], b))) else if defined(kb) then return(m = exp'(g, mult(a[j], b))) else return(false) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) := return(exp'(g, mult(b, x))) ). } +(* Same as CDH_RSR, but with a single family of exponents instead of two. + More powerful, but leads to a higher probability. *) + +def CDH_RSR_single(G, Z, g, exp, exp', mult, pCDH, pDistRerandom) { + +(* the CDH assumption *) + +param na, naDDH, naDH9. + +event square. + +equiv(cdh(exp)) + foreach ia <= na do a <-R Z; ( + OA() := return(exp(g,a)) | + Oa() [10] := return(a) | + foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) [useful_change] := + return(m = exp(g, mult(a[j], a))) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) + ) +<=(2* #ODDHa * max(1, 27/4*#Oa^2) * pCDH(time + (na + #ODDHa + 1 + #ODHa9) * time(exp)) + na * pDistRerandom)=> [computational] + foreach ia <= na do a <-R Z [unchanged]; ( + OA() := return(exp'(g,a)) | + Oa() := let ka:bool = true in return(a) | + foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) := + if defined(ka[j]) then return(m = exp'(g, mult(a[j], a))) else + if defined(ka) then return(m = exp'(g, mult(a[j], a))) else + if j = ia then event_abort square else + return(false) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) + ). + +} + (* Decisional Diffie-Hellman pDDH(t): the probability of breaking the DDH assumption in time t @@ -3490,50 +3609,150 @@ event ev_abort. param na, naDH, nb, nbDH, naDH9, nbDH9. +table dhval(na, nb, G). + equiv(ddh(exp)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | Oa() [10] := return (a) | - foreach iaDH <= naDH do ODHa(j<=nb) [useful_change] := return (exp(g, mult(b[j], a))) | + foreach iaDH <= naDH do ODHa(jb<=nb) [useful_change] := return (exp(g, mult(b[jb], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) | foreach ib <= nb do b <-R Z; ( OB() := return (exp(g,b)) | Ob() [10] := return(b) | - foreach ibDH <= nbDH do ODHb(j<=na) := return(exp(g, mult(a[j], b))) | + foreach ibDH <= nbDH do ODHb(ja<=na) := return(exp(g, mult(a[ja], b))) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) ) -<=(na * nb * pDDH(time + (na + nb + #ODHa + #ODHb - 3) * time(exp)))=> +<=(na * nb * pDDH(time + (na + nb + #ODHa + #ODHb - 3 + #ODHa9 + #ODHb9) * time(exp)))=> foreach ia <= na do a <-R Z; ( OA() := return(exp'(g,a)) | Oa() := - find uaDH <= naDH suchthat defined(ka'[uaDH]) then event_abort ev_abort - orfind ubDH <= nbDH, ub <= nb suchthat defined(kb'[ubDH, ub], a'[ubDH, ub]) && a'[ubDH, ub] = a then event_abort ev_abort else + get dhval(=ia, jb, c) in event_abort ev_abort else let ka:bool = true in return(a) | - foreach iaDH <= naDH do ODHa(j<=nb) := - let b':Z = b[j] in - find u<=nb suchthat defined(kb[u],b[u]) && b' = b[u] then return(exp'(g, mult(b', a))) else - if defined(ka) then return(exp'(g, mult(b', a))) else - let ka':bool = true in - find vaDH <= naDH suchthat defined(b'[vaDH],ca[vaDH]) && b' = b'[vaDH] then return(ca[vaDH]) - orfind vbDH <= nbDH, vb <= nb suchthat defined(b[vb], a'[vbDH, vb], cb[vbDH, vb]) && b' = b[vb] && a = a'[vbDH, vb] then return(cb[vbDH, vb]) else - ca <-R G; return(ca) | + foreach iaDH <= naDH do ODHa(jb<=nb) := + if defined(kb[jb]) then return(exp'(g, mult(b[jb], a))) else + if defined(ka) then return(exp'(g, mult(b[jb], a))) else + get[unique] dhval(=ia, =jb, c) in return(c) else + ca <-R G; + insert dhval(ia, jb, ca); + return(ca) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) ) | foreach ib <= nb do b <-R Z; ( OB() := return(exp'(g,b)) | Ob() := - find ubDH <= nbDH suchthat defined(kb'[ubDH]) then event_abort ev_abort - orfind uaDH <= naDH, ua <= na suchthat defined(ka'[uaDH, ua], b'[uaDH, ua]) && b'[uaDH, ua] = b then event_abort ev_abort else + get dhval(ja, =ib, c) in event_abort ev_abort else let kb:bool = true in return(b) | - foreach ibDH <= nbDH do ODHb(j<=na) := - let a':Z = a[j] in - find u<=na suchthat defined(ka[u],a[u]) && a' = a[u] then return(exp'(g, mult(a', b))) else - if defined(kb) then return(exp'(g, mult(a', b))) else - let kb':bool = true in - find vbDH <= nbDH suchthat defined(a'[vbDH],cb[vbDH]) && a' = a'[vbDH] then return(cb[vbDH]) - orfind vaDH <= naDH, va <= na suchthat defined(a[va], b'[vaDH, va], ca[vaDH, va]) && a' = a[va] && b = b'[vaDH, va] then return(ca[vaDH, va]) else - cb <-R G; return(cb) | + foreach ibDH <= nbDH do ODHb(ja<=na) := + if defined(ka[ja]) then return(exp'(g, mult(a[ja], b))) else + if defined(kb) then return(exp'(g, mult(a[ja], b))) else + get[unique] dhval(=ja, =ib, c) in return(c) else + cb <-R G; + insert dhval(ja, ib, cb); + return(cb) | + foreach ibDH9 <= nbDH9 do ODHb9(x:Z) := return(exp'(g, mult(b, x))) + ). + +} + +(* Same as DDH, but with a single family of exponents instead of two. + More powerful, but may lead to a higher probability. *) + +def DDH_single(G, Z, g, exp, exp', mult, pDDH) { + +(* the DDH assumption *) + +event ev_abort. +event square. + +param na, naDH, naDH9. + +table dhval(na, na, G). + +equiv(ddh(exp)) + foreach ia <= na do a <-R Z; ( + OA() := return(exp(g,a)) | + Oa() [10] := return (a) | + foreach iaDH <= naDH do ODHa(j<=na) [useful_change] := return (exp(g, mult(a[j], a))) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) + ) +<=(na*(na-1)/2 * pDDH(time + (na + #ODHa - 3 + #ODHa9) * time(exp)))=> + foreach ia <= na do a <-R Z; ( + OA() := return(exp'(g,a)) | + Oa() := + get dhval(=ia, j, c) in event_abort ev_abort else + get dhval(j, =ia, c) in event_abort ev_abort else + let ka:bool = true in return(a) | + foreach iaDH <= naDH do ODHa(j<=na) := + if defined(ka[j]) then return(exp'(g, mult(a[j], a))) else + if defined(ka) then return(exp'(g, mult(a[j], a))) else + if j = ia then event_abort square else + get[unique] dhval(=ia, =j, c) in return(c) else + get[unique] dhval(=j, =ia, c) in return(c) else + ca <-R G; + insert dhval(ia, j, ca); + return(ca) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) + ). + +} + +(* Decisional Diffie-Hellman, with random self reducibility. + + This macro yields a better probability but is much more + restricted than the other DDH macros: + - it does not support corruption + - it supports only a single Diffie-Hellman query for each + exponent a_i, associated with an arbitrary b_j and no Diffie-Hellman + queries for b_j. + - the default distribution on G must be as follows: + There is an underlying prime-order group (the Diffie-Hellman group + itself when it has prime order; the prime-order subgroup of the curve + generated by the base point for Curve25519/Curve448). The default + distribution on G is obtained by choosing uniformly an element in that + group minus its neutral element and taking the associated public key in G + (the group element itself for prime-order Diffie-Hellman groups; + the encoding of its X coordinate for Curve25519/Curve448). + + pDDH(t): the probability of breaking the DDH assumption in time t + pDistRerandom: the probability that rerandomization can be distinguished from the + original distribution + It is 0 when exponents are chosen uniformly in (Z/qZ)^*. + 2^-125 for curve25519 + 2^-220 for curve448 + Other arguments as in DH_basic. + + All arguments must be declared before this macro. +*) + +def DDH_RSR(G, Z, g, exp, exp', mult, pDDH, pDistRerandom) { + +(* the DDH assumption *) + +param na, nb, naDH9, nbDH9. + +equiv(ddh(exp)) + foreach ia <= na do a <-R Z; ( + OA() := return(exp(g,a)) | + ODHa(jb<=nb) [useful_change] := return (exp(g, mult(b[jb], a))) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) + ) | + foreach ib <= nb do b <-R Z; ( + OB() := return (exp(g,b)) | + foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) + ) +<=(pDDH(time + (2*na + 2*nb + 4*#ODHa + #ODHa9 + #ODHb9) * time(exp)) + + (2*na+2*nb+#ODHa+1)*Pcoll1rand(G) + (na+nb)*pDistRerandom)=> + foreach ia <= na do a <-R Z; ( + OA() := return(exp'(g,a)) | + ODHa(jb<=nb) := + ca <-R G; + return(ca) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) + ) | + foreach ib <= nb do b <-R Z; ( + OB() := return(exp'(g,b)) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) := return(exp'(g, mult(b, x))) ). @@ -3543,12 +3762,22 @@ equiv(ddh(exp)) pGDH(t, n): the probability of breaking the GDH assumption in time t, with at most n calls to the DDH oracle. + pDistRerandom: the probability that rerandomization can be distinguished from the + original distribution + It is 0 when exponents are chosen uniformly in (Z/qZ)^*. + 2^-125 for curve25519 + 2^-220 for curve448 + (see https://tools.ietf.org/html/draft-barnes-cfrg-mult-for-7748-00 for the rerandomization + for curve25519 and curve448). It is needed because, for curve25519/448, to make + the DH decision oracle unambiguous, we generate secret keys in [(p+1)/2,p-1] + instead of the set used for generating secret keys in the curve25519/448 implementation. + (The latter set yields equivalent secret keys with small probability.) Other arguments as in DH_basic. All arguments must be declared before this macro. *) -def GDH(G, Z, g, exp, exp', mult, pGDH) { +def GDH(G, Z, g, exp, exp', mult, pGDH, pDistRerandom) { (* the GDH assumption This equivalence says that, when exp(g,a[i]) and exp(g,b[j]) are known to the @@ -3557,8 +3786,8 @@ def GDH(G, Z, g, exp, exp', mult, pGDH) { DDH(G,A,B,C) tells whether A = G^a, B = G^b, and C = G^{ab} for some a,b, that is DDH(G,A,B,C) is (log_G(A) * log_G(B) = log_G(C)). *) -param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDDH6, naDDH7, naDDH8, naDH9, - nb, nbDDH, nbDDH1, nbDDH2, nbDDH3, nbDDH4, nbDDH5, nbDDH6, nbDDH7, nbDDH8, nbDH9. +param na, naeq, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDDH6, naDDH7, naDDH8, naDH9, + nb, nbeq, nbDDH, nbDDH1, nbDDH2, nbDDH3, nbDDH4, nbDDH5, nbDDH6, nbDDH7, nbDDH8, nbDH9. equiv(gdh(exp)) foreach ia <= na do a <-R Z; ( @@ -3570,6 +3799,10 @@ equiv(gdh(exp)) foreach iaDDH5 <= naDDH5 do ODDHa5(m:G, j'<=nb,j<=na) := return(exp(m,a[j]) = exp(g, mult(b[j'], a))) | foreach iaDDH6 <= naDDH6 do ODDHa6(m:G, j'<=na,j<=nb) := return(exp(m,b[j]) = exp(g, mult(a[j'], a))) | foreach iaDDH7 <= naDDH7 do ODDHa7(m:G, j'<=na,j<=na) := return(exp(m,a[j]) = exp(g, mult(a[j'], a))) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | + (* We put the oracle above before ODDHa1, so that ODDHa1 is not used when m' = g, + which would lead to additional calls to the DDH oracle when in fact + we can simply compare with the public key *) foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | (* We put the oracle m = exp(m', a) after exp(m,b[j]) = exp(m', a) to apply in priority the latter. Otherwise, CryptoVerif sometimes uses m = exp(m', a) to discharge @@ -3587,15 +3820,16 @@ equiv(gdh(exp)) foreach ibDDH5 <= nbDDH5 do ODDHb5(m:G, j'<=nb,j<=na) := return(exp(m,a[j]) = exp(g, mult(b[j'], b))) | foreach ibDDH6 <= nbDDH6 do ODDHb6(m:G, j'<=na,j<=nb) := return(exp(m,b[j]) = exp(g, mult(a[j'], b))) | foreach ibDDH7 <= nbDDH7 do ODDHb7(m:G, j'<=na,j<=na) := return(exp(m,a[j]) = exp(g, mult(a[j'], b))) | + foreach ibeq <= nbeq do OBeq(m:G) := return(m = exp(g,b)) | foreach ibDDH1 <= nbDDH1 do ODDHb1(m:G, m':G) := return(m = exp(m', b)) | foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := return(m = exp(g, mult(a[j], b))) | foreach ibDDH8 <= nbDDH8 do ODDHb8(m:G,j<=nb) [3] := return(m = exp(g,mult(b[j], b))) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) ) <=(na * nb * - pGDH(time + (na + nb - 1) * time(exp), + pGDH(time + (na + nb - 1 + #ODHa9 + #ODHb9) * time(exp), #ODDHa + #ODDHa1 + #ODDHa2 + #ODDHa3 + #ODDHa4 + #ODDHa5 + #ODDHa6 + #ODDHa7 + #ODDHa8 + - #ODDHb + #ODDHb1 + #ODDHb2 + #ODDHb3 + #ODDHb4 + #ODDHb5 + #ODDHb6 + #ODDHb7 + #ODDHb8))=> [computational] + #ODDHb + #ODDHb1 + #ODDHb2 + #ODDHb3 + #ODDHb4 + #ODDHb5 + #ODDHb6 + #ODDHb7 + #ODDHb8) + (na + nb) * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp'(g,a)) | Oa() := let ka:bool = true in return(a) | @@ -3611,25 +3845,25 @@ equiv(gdh(exp)) foreach iaDDH3 <= naDDH3 do ODDHa3(m:G, m':G,j<=na) := return(exp'(m,a[j]) = exp'(m', a)) | (* Similar to ODDHa2 *) foreach iaDDH4 <= naDDH4 do ODDHa4(m:G, j'<=nb,j<=nb) := - find u<=nb suchthat defined(kb[u],b[u]) && b[j'] = b[u] then return(exp'(m,b[j]) = exp'(g, mult(b[j'], a))) else + if defined(kb[j']) then return(exp'(m,b[j]) = exp'(g, mult(b[j'], a))) else if defined(ka) then return(exp'(m,b[j]) = exp'(g, mult(b[j'], a))) else - return(b[j] = b[j'] && exp'(m,b[j']) = exp'(g, mult(b[j'], a))) | + return(j = j' && exp'(m,b[j']) = exp'(g, mult(b[j'], a))) | (* GDH always allows to compute exp(m, b[j]) = exp(g,mult(b[j'],a)) as a particular case of ODDHa2. When a or b[j'] is leaked, that is all we use and we keep the value that occurs in the left-hand side exp'(m, b[j]) = exp'(g,mult(b[j'],a)). Otherwise, we distinguish two cases: - - When b[j] = b[j'], we also keep the value of the left-hand side. + - When j = j', we also keep the value of the left-hand side. - Otherwise, we apply the CDH assumption considering an adversary that knows b[j] and computes exp(m, b[j]). This adversary cannot compute exp(g,mult(b[j'],a)) by CDH, so the equality exp(m, b[j]) = exp(g,mult(b[j'],a)) is false in this case. Hence, the equality exp(m, b[j]) = exp(g,mult(b[j'],a)) - reduces to b[j] = b[j'] && exp'(m,b[j']) = exp'(g, mult(b[j'], a)). *) + reduces to j = j' && exp'(m,b[j']) = exp'(g, mult(b[j'], a)). *) foreach iaDDH5 <= naDDH5 do ODDHa5(m:G, j'<=nb,j<=na) := - find u<=nb suchthat defined(kb[u],b[u]) && b[j'] = b[u] then return(exp'(m,a[j]) = exp'(g, mult(b[j'], a))) else + if defined(kb[j']) then return(exp'(m,a[j]) = exp'(g, mult(b[j'], a))) else if defined(ka) then return(exp'(m,a[j]) = exp'(g, mult(b[j'], a))) else - return (a[j] = a && exp'(m,a) = exp'(g, mult(b[j'], a))) | + return (j = ia && exp'(m,a) = exp'(g, mult(b[j'], a))) | (* This case is similar to ODDHa4. *) foreach iaDDH6 <= naDDH6 do ODDHa6(m:G, j'<=na,j<=nb) := return(exp'(m,b[j]) = exp'(g, mult(a[j'], a))) | foreach iaDDH7 <= naDDH7 do ODDHa7(m:G, j'<=na,j<=na) := return(exp'(m,a[j]) = exp'(g, mult(a[j'], a))) | @@ -3638,12 +3872,13 @@ equiv(gdh(exp)) We need to consider all these forms because CryptoVerif rewrites exp(exp(g,b[j']),a) into exp(g,mult(b[j'],a)), and it would not detect exp(g,mult(b[j'],a)) as an instance of exp(m',a). *) + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp'(g,a)) | foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp'(m', a)) (* GDH allows to compute m = exp(m',a) for any m and m', without leaking a, as it is DDH(g, exp(g,a), m', m) *) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=nb) := - find u<=nb suchthat defined(kb[u],b[u]) && b[j] = b[u] then return(m = exp'(g, mult(b[j], a))) else + if defined(kb[j]) then return(m = exp'(g, mult(b[j], a))) else if defined(ka) then return(m = exp'(g, mult(b[j], a))) else return(false) | (* ODDHa is a particular case of ODDHa1 in which can apply the CDH assumption, provided a and b[j] are not leaked. *) @@ -3660,18 +3895,19 @@ equiv(gdh(exp)) foreach ibDDH4 <= nbDDH4 do ODDHb4(m:G, j'<=nb,j<=nb) := return(exp'(m,b[j]) = exp'(g, mult(b[j'], b))) | foreach ibDDH5 <= nbDDH5 do ODDHb5(m:G, j'<=nb,j<=na) := return(exp'(m,a[j]) = exp'(g, mult(b[j'], b))) | foreach ibDDH6 <= nbDDH6 do ODDHb6(m:G, j'<=na,j<=nb) := - find u<=na suchthat defined(ka[u],a[u]) && a[j'] = a[u] then return(exp'(m,b[j]) = exp'(g, mult(a[j'], b))) else + if defined(ka[j']) then return(exp'(m,b[j]) = exp'(g, mult(a[j'], b))) else if defined(kb) then return(exp'(m,b[j]) = exp'(g, mult(a[j'], b))) else - return(b[j] = b && exp'(m,b) = exp'(g, mult(a[j'], b))) | + return(j = ib && exp'(m,b) = exp'(g, mult(a[j'], b))) | foreach ibDDH7 <= nbDDH7 do ODDHb7(m:G, j'<=na,j<=na) := - find u<=na suchthat defined(ka[u],a[u]) && a[j'] = a[u] then return(exp'(m,a[j]) = exp'(g, mult(a[j'], b))) else + if defined(ka[j']) then return(exp'(m,a[j]) = exp'(g, mult(a[j'], b))) else if defined(kb) then return(exp'(m,a[j]) = exp'(g, mult(a[j'], b))) else - return(a[j] = a[j'] && exp'(m,a[j']) = exp'(g, mult(a[j'], b))) | + return(j = j' && exp'(m,a[j']) = exp'(g, mult(a[j'], b))) | + foreach ibeq <= nbeq do OBeq(m:G) := return(m = exp'(g,b)) | foreach ibDDH1 <= nbDDH1 do ODDHb1(m:G, m':G) := return(m = exp'(m', b)) (* GDH allows to compute m = exp(m',b) for any m and m', without leaking b *) | foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := - find u<=na suchthat defined(ka[u],a[u]) && a[j] = a[u] then return(m = exp'(g, mult(a[j], b))) else + if defined(ka[j]) then return(m = exp'(g, mult(a[j], b))) else if defined(kb) then return(m = exp'(g, mult(a[j], b))) else return(false) | foreach ibDDH8 <= nbDDH8 do ODDHb8(m:G,j<=nb) [3] := return(m = exp'(g,mult(b[j], b))) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) := return(exp'(g, mult(b, x))) @@ -3685,6 +3921,87 @@ equiv(gdh(exp)) exp(m', a) in the equivalence. *) } + +(* Same as GDH, but with a single family of exponents instead of two. + More powerful, but may lead to a higher probability. *) + +def GDH_single(G, Z, g, exp, exp', mult, pGDH, pDistRerandom) { + +(* the GDH assumption + This equivalence says that, when exp(g,a[i]) are known to the + adversary, the adversary can compute exp(g, mult(a[i], a[j])) for i<>j only with + negligible probability, even in the presence of a DDH oracle + DDH(G,A,B,C) tells whether A = G^a, B = G^b, and C = G^{ab} for some a,b, + that is DDH(G,A,B,C) is (log_G(A) * log_G(B) = log_G(C)). *) + +param na, naeq, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. + +equiv(gdh(exp)) + foreach ia <= na do a <-R Z; ( + OA() := return(exp(g,a)) | + Oa() [10] := return(a) | + foreach iaDDH3 <= naDDH3 do ODDHa3(m:G, m':G,j<=na) := return(exp(m,a[j]) = exp(m', a)) | + foreach iaDDH5 <= naDDH5 do ODDHa5(m:G, j'<=na,j<=na) [useful_change] := return(exp(m,a[j]) = exp(g, mult(a[j'], a))) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | + (* We put the oracle above before ODDHa1, so that ODDHa1 is not used when m' = g, + which would lead to additional calls to the DDH oracle when in fact + we can simply compare with the public key *) + foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | + foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) [useful_change] := return(m = exp(g, mult(a[j], a))) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) + ) +<=(na * (na-1)/2 * pGDH(time + (na + #ODHa9) * time(exp), #ODDHa + #ODDHa1 + #ODDHa3 + #ODDHa5) + na * pDistRerandom)=> [computational] + foreach ia <= na do a <-R Z [unchanged]; ( + OA() := return(exp'(g,a)) | + Oa() := let ka:bool = true in return(a) | + foreach iaDDH3 <= naDDH3 do ODDHa3(m:G, m':G,j<=na) := return(exp'(m,a[j]) = exp'(m', a)) | + (* GDH allows to compute exp(m, a[j]) = exp(m',a) for any m and m', + without leaking a, as it is DDH(exp(g,a), exp(g,a[j]), m, m') + Indeed, + D(exp(g,a),exp(g,a[j]),m,m') + = (log_{g^a}(g^a[j]) * log_{g^a}(m) = log_{g^a}(m')) + = (a[j]/a * log_g(m)/a = log_g(m')/a) + = (a[j] * log_g(m) = a log_g(m')) + = (m^a[j] = m'^a). *) + foreach iaDDH5 <= naDDH5 do ODDHa5(m:G, j'<=na,j<=na) := + if defined(ka[j']) then return(exp'(m,a[j]) = exp'(g, mult(a[j'], a))) else + if defined(ka) then return(exp'(m,a[j]) = exp'(g, mult(a[j'], a))) else + return ((j = ia || j = j' || j' = ia) && exp'(m,a[j]) = exp'(g, mult(a[j'], a))) | + (* GDH always allows to compute exp(m, a[j]) = exp(g,mult(a[j'],a)) + as a particular case of ODDHa2. + When a or a[j'] is leaked, that is all we use and we keep the value + that occurs in the left-hand side exp'(m, a[j]) = exp'(g,mult(a[j'],a)). + Otherwise, we distinguish two cases: + - When j = ia || j = j' || j' = ia, we keep the value + that occurs in the left-hand side exp'(m, a[j]) = exp'(g,mult(a[j'],a)). + - Otherwise, we apply the CDH assumption considering an adversary + that knows a[j] and computes exp(m, a[j]). This adversary cannot + compute exp(g,mult(a[j'],a)) by CDH, so the equality + exp(m, a[j]) = exp(g,mult(a[j'],a)) is false in this case. + Hence, the equality exp(m, a[j]) = exp(g,mult(a[j'],a)) + reduces to (j = ia || j = j' || j' = ia) && exp'(m, a[j]) = exp'(g,mult(a[j'],a)). *) + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp'(g,a)) | + foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := + return(m = exp'(m', a)) + (* GDH allows to compute m = exp(m',a) for any m and m', without leaking a, + as it is DDH(g, exp(g,a), m', m) *) | + foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) := + if defined(ka[j]) then return(m = exp'(g, mult(a[j], a))) else + if defined(ka) then return(m = exp'(g, mult(a[j], a))) else + return(j = ia && m = exp'(g, mult(a[j], a))) | + (* ODDHa is a particular case of ODDHa1 in which can apply the CDH assumption, + provided a and a[j] are not leaked. *) + foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) + ). + (* We need to consider both forms m = exp(m', a) and m = exp(g, + mult(a[j], a)) in the equivalence, because, when m' is known to be + exp(g, a[j]), CryptoVerif is going to simplify m = exp(m', a) into + m = exp(g, mult(a[j], a)), and the procedure that tests whether a + term in the game matches a term in the equivalence would not + recognize that m = exp(g, mult(a[j], a)) in the game matches m = + exp(m', a) in the equivalence. *) +} + (* Variant of GDH with random self reducibility. It may yield lower probabilities but requires the rerandomization to be feasible. @@ -3712,8 +4029,8 @@ def GDH_RSR(G, Z, g, exp, exp', mult, pGDH, pDistRerandom) { DDH(G,A,B,C) tells whether A = G^a, B = G^b, and C = G^{ab} for some a,b, that is DDH(G,A,B,C) is (log_G(A) * log_G(B) = log_G(C)). *) -param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDDH6, naDDH7, naDDH8, naDH9, - nb, nbDDH, nbDDH1, nbDDH2, nbDDH3, nbDDH4, nbDDH5, nbDDH6, nbDDH7, nbDDH8, nbDH9. +param na, naeq, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDDH6, naDDH7, naDDH8, naDH9, + nb, nbeq, nbDDH, nbDDH1, nbDDH2, nbDDH3, nbDDH4, nbDDH5, nbDDH6, nbDDH7, nbDDH8, nbDH9. equiv(gdh(exp)) foreach ia <= na do a <-R Z; ( @@ -3725,7 +4042,11 @@ equiv(gdh(exp)) foreach iaDDH5 <= naDDH5 do ODDHa5(m:G, j'<=nb,j<=na) := return(exp(m,a[j]) = exp(g, mult(b[j'], a))) | foreach iaDDH6 <= naDDH6 do ODDHa6(m:G, j'<=na,j<=nb) := return(exp(m,b[j]) = exp(g, mult(a[j'], a))) | foreach iaDDH7 <= naDDH7 do ODDHa7(m:G, j'<=na,j<=na) := return(exp(m,a[j]) = exp(g, mult(a[j'], a))) | - foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | + (* We put the oracle above before ODDHa1, so that ODDHa1 is not used when m' = g, + which would lead to additional calls to the DDH oracle when in fact + we can simply compare with the public key *) + foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=nb) [useful_change] := return(m = exp(g, mult(b[j], a))) | foreach iaDDH8 <= naDDH8 do ODDHa8(m:G,j<=na) [3] := return(m = exp(g,mult(a[j], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) @@ -3739,13 +4060,14 @@ equiv(gdh(exp)) foreach ibDDH5 <= nbDDH5 do ODDHb5(m:G, j'<=nb,j<=na) := return(exp(m,a[j]) = exp(g, mult(b[j'], b))) | foreach ibDDH6 <= nbDDH6 do ODDHb6(m:G, j'<=na,j<=nb) := return(exp(m,b[j]) = exp(g, mult(a[j'], b))) | foreach ibDDH7 <= nbDDH7 do ODDHb7(m:G, j'<=na,j<=na) := return(exp(m,a[j]) = exp(g, mult(a[j'], b))) | + foreach ibeq <= nbeq do OBeq(m:G) := return(m = exp(g,b)) | foreach ibDDH1 <= nbDDH1 do ODDHb1(m:G, m':G) := return(m = exp(m', b)) | foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := return(m = exp(g, mult(a[j], b))) | foreach ibDDH8 <= nbDDH8 do ODDHb8(m:G,j<=nb) [3] := return(m = exp(g,mult(b[j], b))) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) ) -<=(max(1, 4*(#Oa-max(-1,-(#ODDHa5+#ODDHb7)))) * max(1, 4*(#Ob-max(-1,-(#ODDHa4+#ODDHb6)))) * - pGDH(time + (na + nb + 1) * time(exp), +<=(max(1, 4*(#Oa+optim-if #ODDHa5+#ODDHb7=0 then 0 else 1)) * max(1, 4*(#Ob+optim-if #ODDHa4+#ODDHb6=0 then 0 else 1)) * + pGDH(time + (na + nb + 1 + #ODHa9 + #ODHb9) * time(exp), #ODDHa + #ODDHa1 + #ODDHa2 + #ODDHa3 + #ODDHa4 + #ODDHa5 + #ODDHa6 + #ODDHa7 + #ODDHa8 + #ODDHb + #ODDHb1 + #ODDHb2 + #ODDHb3 + #ODDHb4 + #ODDHb5 + #ODDHb6 + #ODDHb7 + #ODDHb8) + (na + nb) * pDistRerandom)=> [computational] @@ -3764,25 +4086,25 @@ equiv(gdh(exp)) foreach iaDDH3 <= naDDH3 do ODDHa3(m:G, m':G,j<=na) := return(exp'(m,a[j]) = exp'(m', a)) | (* Similar to ODDHa2 *) foreach iaDDH4 <= naDDH4 do ODDHa4(m:G, j'<=nb,j<=nb) := - find u<=nb suchthat defined(kb[u],b[u]) && b[j'] = b[u] then return(exp'(m,b[j]) = exp'(g, mult(b[j'], a))) else + if defined(kb[j']) then return(exp'(m,b[j]) = exp'(g, mult(b[j'], a))) else if defined(ka) then return(exp'(m,b[j]) = exp'(g, mult(b[j'], a))) else - return(b[j] = b[j'] && exp'(m,b[j']) = exp'(g, mult(b[j'], a))) | + return(j = j' && exp'(m,b[j']) = exp'(g, mult(b[j'], a))) | (* GDH always allows to compute exp(m, b[j]) = exp(g,mult(b[j'],a)) as a particular case of ODDHa2. When a or b[j'] is leaked, that is all we use and we keep the value that occurs in the left-hand side exp'(m, b[j]) = exp'(g,mult(b[j'],a)). Otherwise, we distinguish two cases: - - When b[j] = b[j'], we also keep the value of the left-hand side. + - When j = j', we also keep the value of the left-hand side. - Otherwise, we apply the CDH assumption considering an adversary that knows b[j] and computes exp(m, b[j]). This adversary cannot compute exp(g,mult(b[j'],a)) by CDH, so the equality exp(m, b[j]) = exp(g,mult(b[j'],a)) is false in this case. Hence, the equality exp(m, b[j]) = exp(g,mult(b[j'],a)) - reduces to b[j] = b[j'] && exp'(m,b[j']) = exp'(g, mult(b[j'], a)). *) + reduces to j = j' && exp'(m,b[j']) = exp'(g, mult(b[j'], a)). *) foreach iaDDH5 <= naDDH5 do ODDHa5(m:G, j'<=nb,j<=na) := - find u<=nb suchthat defined(kb[u],b[u]) && b[j'] = b[u] then return(exp'(m,a[j]) = exp'(g, mult(b[j'], a))) else + if defined(kb[j']) then return(exp'(m,a[j]) = exp'(g, mult(b[j'], a))) else if defined(ka) then return(exp'(m,a[j]) = exp'(g, mult(b[j'], a))) else - return (a[j] = a && exp'(m,a) = exp'(g, mult(b[j'], a))) | + return (j = ia && exp'(m,a) = exp'(g, mult(b[j'], a))) | (* This case is similar to ODDHa4. *) foreach iaDDH6 <= naDDH6 do ODDHa6(m:G, j'<=na,j<=nb) := return(exp'(m,b[j]) = exp'(g, mult(a[j'], a))) | foreach iaDDH7 <= naDDH7 do ODDHa7(m:G, j'<=na,j<=na) := return(exp'(m,a[j]) = exp'(g, mult(a[j'], a))) | @@ -3791,12 +4113,13 @@ equiv(gdh(exp)) We need to consider all these forms because CryptoVerif rewrites exp(exp(g,b[j']),a) into exp(g,mult(b[j'],a)), and it would not detect exp(g,mult(b[j'],a)) as an instance of exp(m',a). *) + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp'(g,a)) | foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp'(m', a)) (* GDH allows to compute m = exp(m',a) for any m and m', without leaking a, as it is DDH(g, exp(g,a), m', m) *) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=nb) := - find u<=nb suchthat defined(kb[u],b[u]) && b[j] = b[u] then return(m = exp'(g, mult(b[j], a))) else + if defined(kb[j]) then return(m = exp'(g, mult(b[j], a))) else if defined(ka) then return(m = exp'(g, mult(b[j], a))) else return(false) | (* ODDHa is a particular case of ODDHa1 in which can apply the CDH assumption, provided a and b[j] are not leaked. *) @@ -3813,18 +4136,19 @@ equiv(gdh(exp)) foreach ibDDH4 <= nbDDH4 do ODDHb4(m:G, j'<=nb,j<=nb) := return(exp'(m,b[j]) = exp'(g, mult(b[j'], b))) | foreach ibDDH5 <= nbDDH5 do ODDHb5(m:G, j'<=nb,j<=na) := return(exp'(m,a[j]) = exp'(g, mult(b[j'], b))) | foreach ibDDH6 <= nbDDH6 do ODDHb6(m:G, j'<=na,j<=nb) := - find u<=na suchthat defined(ka[u],a[u]) && a[j'] = a[u] then return(exp'(m,b[j]) = exp'(g, mult(a[j'], b))) else + if defined(ka[j']) then return(exp'(m,b[j]) = exp'(g, mult(a[j'], b))) else if defined(kb) then return(exp'(m,b[j]) = exp'(g, mult(a[j'], b))) else - return(b[j] = b && exp'(m,b) = exp'(g, mult(a[j'], b))) | + return(j = ib && exp'(m,b) = exp'(g, mult(a[j'], b))) | foreach ibDDH7 <= nbDDH7 do ODDHb7(m:G, j'<=na,j<=na) := - find u<=na suchthat defined(ka[u],a[u]) && a[j'] = a[u] then return(exp'(m,a[j]) = exp'(g, mult(a[j'], b))) else + if defined(ka[j']) then return(exp'(m,a[j]) = exp'(g, mult(a[j'], b))) else if defined(kb) then return(exp'(m,a[j]) = exp'(g, mult(a[j'], b))) else - return(a[j] = a[j'] && exp'(m,a[j']) = exp'(g, mult(a[j'], b))) | + return(j = j' && exp'(m,a[j']) = exp'(g, mult(a[j'], b))) | + foreach ibeq <= nbeq do OBeq(m:G) := return(m = exp'(g,b)) | foreach ibDDH1 <= nbDDH1 do ODDHb1(m:G, m':G) := return(m = exp'(m', b)) (* GDH allows to compute m = exp(m',b) for any m and m', without leaking b *) | foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := - find u<=na suchthat defined(ka[u],a[u]) && a[j] = a[u] then return(m = exp'(g, mult(a[j], b))) else + if defined(ka[j]) then return(m = exp'(g, mult(a[j], b))) else if defined(kb) then return(m = exp'(g, mult(a[j], b))) else return(false) | foreach ibDDH8 <= nbDDH8 do ODDHb8(m:G,j<=nb) [3] := return(m = exp'(g,mult(b[j], b))) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) := return(exp'(g, mult(b, x))) @@ -3838,6 +4162,88 @@ equiv(gdh(exp)) exp(m', a) in the equivalence. *) } +(* Same as GDH_RSR, but with a single family of exponents instead of two. + More powerful, but leads to a higher probability. *) + +def GDH_RSR_single(G, Z, g, exp, exp', mult, pGDH, pDistRerandom) { + +(* the GDH assumption + This equivalence says that, when exp(g,a[i]) are known to the + adversary, the adversary can compute exp(g, mult(a[i], a[j])) for i<>j only with + negligible probability, even in the presence of a DDH oracle + DDH(G,A,B,C) tells whether A = G^a, B = G^b, and C = G^{ab} for some a,b, + that is DDH(G,A,B,C) is (log_G(A) * log_G(B) = log_G(C)). *) + +param na, naeq, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. + +equiv(gdh(exp)) + foreach ia <= na do a <-R Z; ( + OA() := return(exp(g,a)) | + Oa() [10] := return(a) | + foreach iaDDH3 <= naDDH3 do ODDHa3(m:G, m':G,j<=na) := return(exp(m,a[j]) = exp(m', a)) | + foreach iaDDH5 <= naDDH5 do ODDHa5(m:G, j'<=na,j<=na) [useful_change] := return(exp(m,a[j]) = exp(g, mult(a[j'], a))) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | + (* We put the oracle above before ODDHa1, so that ODDHa1 is not used when m' = g, + which would lead to additional calls to the DDH oracle when in fact + we can simply compare with the public key *) + foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | + foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) [useful_change] := return(m = exp(g, mult(a[j], a))) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) + ) +<=(2* max(1, 27/4*(#Oa+optim-if #ODDHa5=0 then 0 else 1)^2) * + pGDH(time + (na+1 + #ODHa9) * time(exp), + #ODDHa + #ODDHa1 + #ODDHa3 + #ODDHa5) + na * pDistRerandom)=> [computational] + foreach ia <= na do a <-R Z [unchanged]; ( + OA() := return(exp'(g,a)) | + Oa() := let ka:bool = true in return(a) | + foreach iaDDH3 <= naDDH3 do ODDHa3(m:G, m':G,j<=na) := return(exp'(m,a[j]) = exp'(m', a)) | + (* GDH allows to compute exp(m, a[j]) = exp(m',a) for any m and m', + without leaking a, as it is DDH(exp(g,a), exp(g,a[j]), m, m') + Indeed, + D(exp(g,a),exp(g,a[j]),m,m') + = (log_{g^a}(g^a[j]) * log_{g^a}(m) = log_{g^a}(m')) + = (a[j]/a * log_g(m)/a = log_g(m')/a) + = (a[j] * log_g(m) = a log_g(m')) + = (m^a[j] = m'^a). *) + foreach iaDDH5 <= naDDH5 do ODDHa5(m:G, j'<=na,j<=na) := + if defined(ka[j']) then return(exp'(m,a[j]) = exp'(g, mult(a[j'], a))) else + if defined(ka) then return(exp'(m,a[j]) = exp'(g, mult(a[j'], a))) else + return ((j = ia || j = j' || j' = ia) && exp'(m,a[j]) = exp'(g, mult(a[j'], a))) | + (* GDH always allows to compute exp(m, a[j]) = exp(g,mult(a[j'],a)) + as a particular case of ODDHa2. + When a or a[j'] is leaked, that is all we use and we keep the value + that occurs in the left-hand side exp'(m, a[j]) = exp'(g,mult(a[j'],a)). + Otherwise, we distinguish two cases: + - When j = ia || j = j' || j' = ia, we keep the value + that occurs in the left-hand side exp'(m, a[j]) = exp'(g,mult(a[j'],a)). + - Otherwise, we apply the CDH assumption considering an adversary + that knows a[j] and computes exp(m, a[j]). This adversary cannot + compute exp(g,mult(a[j'],a)) by CDH, so the equality + exp(m, a[j]) = exp(g,mult(a[j'],a)) is false in this case. + Hence, the equality exp(m, a[j]) = exp(g,mult(a[j'],a)) + reduces to (j = ia || j = j' || j' = ia) && exp'(m, a[j]) = exp'(g,mult(a[j'],a)). *) + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp'(g,a)) | + foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := + return(m = exp'(m', a)) + (* GDH allows to compute m = exp(m',a) for any m and m', without leaking a, + as it is DDH(g, exp(g,a), m', m) *) | + foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) := + if defined(ka[j]) then return(m = exp'(g, mult(a[j], a))) else + if defined(ka) then return(m = exp'(g, mult(a[j], a))) else + return(j = ia && m = exp'(g, mult(a[j], a))) | + (* ODDHa is a particular case of ODDHa1 in which can apply the CDH assumption, + provided a and a[j] are not leaked. *) + foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) + ). + (* We need to consider both forms m = exp(m', a) and m = exp(g, + mult(a[j], a)) in the equivalence, because, when m' is known to be + exp(g, a[j]), CryptoVerif is going to simplify m = exp(m', a) into + m = exp(g, mult(a[j], a)), and the procedure that tests whether a + term in the game matches a term in the equivalence would not + recognize that m = exp(g, mult(a[j], a)) in the game matches m = + exp(m', a) in the equivalence. *) +} + (* square Computational Diffie-Hellman and Computational Diffie-Hellman. @@ -3866,13 +4272,13 @@ equiv(cdh(exp)) return(m = exp(g, mult(a[j], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(na * naDDH * pSQCDH(time + (na + #ODDHa - 2) * time(exp)) - + na * (na-1) * naDDH *pCDH(time + (na + #ODDHa - 3) * time(exp)))=> [computational] +<=(na * naDDH * pSQCDH(time + (na + #ODDHa - 2 + #ODHa9) * time(exp)) + + na * (na-1) * naDDH * pCDH(time + (na + #ODDHa - 3 + #ODHa9) * time(exp)))=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp'(g,a)) | Oa() := let ka:bool = true in return(a) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) := - find u<=na suchthat defined(ka[u],a[u]) && a[j] = a[u] then return(m = exp'(g, mult(a[j], a))) else + if defined(ka[j]) then return(m = exp'(g, mult(a[j], a))) else if defined(ka) then return(m = exp'(g, mult(a[j], a))) else return(false) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) ). @@ -3910,12 +4316,12 @@ equiv(cdh(exp)) return(m = exp(g, mult(a[j], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(#ODDHa * max(1, 27/4*#Oa*#Oa) * pSQCDH(time + (na + #ODDHa + 1) * time(exp)) + na * pDistRerandom)=> [computational] +<=(#ODDHa * max(1, 27/4*#Oa^2) * pSQCDH(time + (na + #ODDHa + 1 + #ODHa9) * time(exp)) + na * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp'(g,a)) | Oa() := let ka:bool = true in return(a) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) := - find u<=na suchthat defined(ka[u],a[u]) && a[j] = a[u] then return(m = exp'(g, mult(a[j], a))) else + if defined(ka[j]) then return(m = exp'(g, mult(a[j], a))) else if defined(ka) then return(m = exp'(g, mult(a[j], a))) else return(false) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) ). @@ -3939,6 +4345,8 @@ event ev_abort. param na, naDH, naDH9. +table dhval(na, na, G). + equiv(ddh(exp)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | @@ -3946,21 +4354,21 @@ equiv(ddh(exp)) foreach iaDH <= naDH do ODHa(j<=na) [useful_change] := return (exp(g, mult(a[j], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(na * pSQDDH(time + (na + #ODHa - 2) * time(exp)) + na*(na-1)/2 * pDDH(time + (na + #ODHa - 3) * time(exp)))=> +<=(na * pSQDDH(time + (na + #ODHa - 2 + #ODHa9) * time(exp)) + na*(na-1)/2 * pDDH(time + (na + #ODHa - 3 + #ODHa9) * time(exp)))=> foreach ia <= na do a <-R Z; ( OA() := return(exp'(g,a)) | - Oa() := - find uaDH <= naDH suchthat defined(ka'[uaDH]) then event_abort ev_abort - orfind uaDH <= naDH, ua <= na suchthat defined(ka'[uaDH, ua], a'[uaDH, ua]) && a'[uaDH, ua] = a then event_abort ev_abort else - let ka:bool = true in return(a) | + Oa() := + get dhval(=ia, j, c) in event_abort ev_abort else + get dhval(j, =ia, c) in event_abort ev_abort else + let ka:bool = true in return(a) | foreach iaDH <= naDH do ODHa(j<=na) := - let a':Z = a[j] in - find u<=na suchthat defined(ka[u],a[u]) && a' = a[u] then return(exp'(g, mult(a', a))) else - if defined(ka) then return(exp'(g, mult(a', a))) else - let ka':bool = true in - find vaDH <= naDH suchthat defined(a'[vaDH],ca[vaDH]) && a' = a'[vaDH] then return(ca[vaDH]) - orfind vaDH <= naDH, va <= na suchthat defined(a[va], a'[vaDH, va], ca[vaDH, va]) && a' = a[va] && a = a'[vaDH, va] then return(ca[vaDH, va]) else - ca <-R G; return(ca) | + if defined(ka[j]) then return(exp'(g, mult(a[j], a))) else + if defined(ka) then return(exp'(g, mult(a[j], a))) else + get[unique] dhval(=ia, =j, c) in return(c) else + get[unique] dhval(=j, =ia, c) in return(c) else + ca <-R G; + insert dhval(ia, j, ca); + return(ca) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) ). @@ -3976,12 +4384,22 @@ equiv(ddh(exp)) with at most n calls to the DDH oracle. pSQGDH(t,n): the probability of breaking the square GDH assumption in time t, with at most n calls to the DDH oracle. + pDistRerandom: the probability that rerandomization can be distinguished from the + original distribution + It is 0 when exponents are chosen uniformly in (Z/qZ)^*. + 2^-125 for curve25519 + 2^-220 for curve448 + (see https://tools.ietf.org/html/draft-barnes-cfrg-mult-for-7748-00 for the rerandomization + for curve25519 and curve448). It is needed because, for curve25519/448, to make + the DH decision oracle unambiguous, we generate secret keys in [(p+1)/2,p-1] + instead of the set used for generating secret keys in the curve25519/448 implementation. + (The latter set yields equivalent secret keys with small probability.) Other arguments as in DH_basic. All arguments must be declared before this macro. *) -def square_GDH(G, Z, g, exp, exp', mult, pGDH, pSQGDH) { +def square_GDH(G, Z, g, exp, exp', mult, pGDH, pSQGDH, pDistRerandom) { (* the square GDH assumption This equivalence says that, when exp(g,a[i]) are known to the @@ -3990,7 +4408,7 @@ def square_GDH(G, Z, g, exp, exp', mult, pGDH, pSQGDH) { DDH(G,A,B,C) tells whether A = G^a, B = G^b, and C = G^{ab} for some a,b, that is DDH(G,A,B,C) is (log_G(A) * log_G(B) = log_G(C)). *) -param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. +param na, naeq, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. equiv(gdh(exp)) foreach ia <= na do a <-R Z; ( @@ -3998,12 +4416,17 @@ equiv(gdh(exp)) Oa() [10] := return(a) | foreach iaDDH3 <= naDDH3 do ODDHa3(m:G, m':G,j<=na) := return(exp(m,a[j]) = exp(m', a)) | foreach iaDDH5 <= naDDH5 do ODDHa5(m:G, j'<=na,j<=na) [useful_change] := return(exp(m,a[j]) = exp(g, mult(a[j'], a))) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | + (* We put the oracle above before ODDHa1, so that ODDHa1 is not used when m' = g, + which would lead to additional calls to the DDH oracle when in fact + we can simply compare with the public key *) foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) [useful_change] := return(m = exp(g, mult(a[j], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(na * pSQGDH(time + na * time(exp), #ODDHa + #ODDHa1 + #ODDHa3 + #ODDHa5) + - na * (na-1) * pGDH(time + na * time(exp), #ODDHa + #ODDHa1 + #ODDHa3 + #ODDHa5))=> [computational] +<=(na * pSQGDH(time + (na + #ODHa9) * time(exp), #ODDHa + #ODDHa1 + #ODDHa3 + #ODDHa5) + + na * (na-1)/2 * pGDH(time + (na + #ODHa9) * time(exp), #ODDHa + #ODDHa1 + #ODDHa3 + #ODDHa5) + + na * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp'(g,a)) | Oa() := let ka:bool = true in return(a) | @@ -4017,28 +4440,29 @@ equiv(gdh(exp)) = (a[j] * log_g(m) = a log_g(m')) = (m^a[j] = m'^a). *) foreach iaDDH5 <= naDDH5 do ODDHa5(m:G, j'<=na,j<=na) := - find u<=na suchthat defined(ka[u],a[u]) && a[j'] = a[u] then return(exp'(m,a[j]) = exp'(g, mult(a[j'], a))) else + if defined(ka[j']) then return(exp'(m,a[j]) = exp'(g, mult(a[j'], a))) else if defined(ka) then return(exp'(m,a[j]) = exp'(g, mult(a[j'], a))) else - return ((a[j] = a || a[j] = a[j']) && exp'(m,a[j]) = exp'(g, mult(a[j'], a))) | + return ((j = ia || j = j') && exp'(m,a[j]) = exp'(g, mult(a[j'], a))) | (* GDH always allows to compute exp(m, a[j]) = exp(g,mult(a[j'],a)) as a particular case of ODDHa2. When a or a[j'] is leaked, that is all we use and we keep the value that occurs in the left-hand side exp'(m, a[j]) = exp'(g,mult(a[j'],a)). Otherwise, we distinguish two cases: - - When a[j] = a[j'] or a[j] = a[j'], we keep the value + - When j = ia or j = j', we keep the value that occurs in the left-hand side exp'(m, a[j]) = exp'(g,mult(a[j'],a)). - Otherwise, we apply the CDH assumption considering an adversary that knows a[j] and computes exp(m, a[j]). This adversary cannot compute exp(g,mult(a[j'],a)) by CDH, so the equality exp(m, a[j]) = exp(g,mult(a[j'],a)) is false in this case. Hence, the equality exp(m, a[j]) = exp(g,mult(a[j'],a)) - reduces to (a[j] = a || a[j] = a[j']) && exp'(m, a[j]) = exp'(g,mult(a[j'],a)). *) + reduces to (j = ia || j = j') && exp'(m, a[j]) = exp'(g,mult(a[j'],a)). *) + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp'(g,a)) | foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp'(m', a)) (* GDH allows to compute m = exp(m',a) for any m and m', without leaking a, as it is DDH(g, exp(g,a), m', m) *) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) := - find u<=na suchthat defined(ka[u],a[u]) && a[j] = a[u] then return(m = exp'(g, mult(a[j], a))) else + if defined(ka[j]) then return(m = exp'(g, mult(a[j], a))) else if defined(ka) then return(m = exp'(g, mult(a[j], a))) else return(false) | (* ODDHa is a particular case of ODDHa1 in which can apply the CDH assumption, provided a and a[j] are not leaked. *) @@ -4080,7 +4504,7 @@ def square_GDH_RSR(G, Z, g, exp, exp', mult, pSQGDH, pDistRerandom) { DDH(G,A,B,C) tells whether A = G^a, B = G^b, and C = G^{ab} for some a,b, that is DDH(G,A,B,C) is (log_G(A) * log_G(B) = log_G(C)). *) -param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. +param na, naeq, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. equiv(gdh(exp)) foreach ia <= na do a <-R Z; ( @@ -4088,12 +4512,16 @@ equiv(gdh(exp)) Oa() [10] := return(a) | foreach iaDDH3 <= naDDH3 do ODDHa3(m:G, m':G,j<=na) := return(exp(m,a[j]) = exp(m', a)) | foreach iaDDH5 <= naDDH5 do ODDHa5(m:G, j'<=na,j<=na) [useful_change] := return(exp(m,a[j]) = exp(g, mult(a[j'], a))) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | + (* We put the oracle above before ODDHa1, so that ODDHa1 is not used when m' = g, + which would lead to additional calls to the DDH oracle when in fact + we can simply compare with the public key *) foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) [useful_change] := return(m = exp(g, mult(a[j], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(max(1, 27/4*(#Oa-max(-1,-#ODDHa5))*(#Oa-max(-1,-#ODDHa5))) * - pSQGDH(time + (na+1) * time(exp), +<=(max(1, 27/4*(#Oa+optim-if #ODDHa5=0 then 0 else 1)^2) * + pSQGDH(time + (na+1 + #ODHa9) * time(exp), #ODDHa + #ODDHa1 + #ODDHa3 + #ODDHa5) + na * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp'(g,a)) | @@ -4108,28 +4536,29 @@ equiv(gdh(exp)) = (a[j] * log_g(m) = a log_g(m')) = (m^a[j] = m'^a). *) foreach iaDDH5 <= naDDH5 do ODDHa5(m:G, j'<=na,j<=na) := - find u<=na suchthat defined(ka[u],a[u]) && a[j'] = a[u] then return(exp'(m,a[j]) = exp'(g, mult(a[j'], a))) else + if defined(ka[j']) then return(exp'(m,a[j]) = exp'(g, mult(a[j'], a))) else if defined(ka) then return(exp'(m,a[j]) = exp'(g, mult(a[j'], a))) else - return ((a[j] = a || a[j] = a[j']) && exp'(m,a[j]) = exp'(g, mult(a[j'], a))) | + return ((j = ia || j = j') && exp'(m,a[j]) = exp'(g, mult(a[j'], a))) | (* GDH always allows to compute exp(m, a[j]) = exp(g,mult(a[j'],a)) as a particular case of ODDHa2. When a or a[j'] is leaked, that is all we use and we keep the value that occurs in the left-hand side exp'(m, a[j]) = exp'(g,mult(a[j'],a)). Otherwise, we distinguish two cases: - - When a[j] = a[j'] or a[j] = a[j'], we keep the value + - When j = ia or j = j', we keep the value that occurs in the left-hand side exp'(m, a[j]) = exp'(g,mult(a[j'],a)). - Otherwise, we apply the CDH assumption considering an adversary that knows a[j] and computes exp(m, a[j]). This adversary cannot compute exp(g,mult(a[j'],a)) by CDH, so the equality exp(m, a[j]) = exp(g,mult(a[j'],a)) is false in this case. Hence, the equality exp(m, a[j]) = exp(g,mult(a[j'],a)) - reduces to (a[j] = a || a[j] = a[j']) && exp'(m, a[j]) = exp'(g,mult(a[j'],a)). *) + reduces to (j = ia || j = j') && exp'(m, a[j]) = exp'(g,mult(a[j'],a)). *) + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp'(g,a)) | foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp'(m', a)) (* GDH allows to compute m = exp(m',a) for any m and m', without leaking a, as it is DDH(g, exp(g,a), m', m) *) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) := - find u<=na suchthat defined(ka[u],a[u]) && a[j] = a[u] then return(m = exp'(g, mult(a[j], a))) else + if defined(ka[j]) then return(m = exp'(g, mult(a[j], a))) else if defined(ka) then return(m = exp'(g, mult(a[j], a))) else return(false) | (* ODDHa is a particular case of ODDHa1 in which can apply the CDH assumption, provided a and a[j] are not leaked. *) @@ -4172,6 +4601,8 @@ event ev_abort. param na, na1, na2, nb, nb1, nb2, naDH9, nbDH9. +table prf_dh_val(na, nb, prf_in, prf_out). + equiv(prf_odh(prf)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | @@ -4186,49 +4617,91 @@ equiv(prf_odh(prf)) foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) ) <=(na * nb * pPRF_ODH(time + - (na + nb + #Oa2 + #Ob2 - 3)*time(exp)+ + (na + nb + #Oa2 + #Ob2 - 3 + #ODHa9 + #ODHb9)*time(exp)+ (#Oa2 + #Ob2 - 1)*time(prf, max(maxlength(xa2), maxlength(xb2))), na2 + nb2))=> foreach ia <= na do a <-R Z; ( OA() := return(exp'(g,a)) | Oa() := (* Abort when a must not be compromised *) - find uaDH <= na2 suchthat defined(ka'[uaDH]) then event_abort ev_abort - orfind ubDH <= nb2, ub <= nb suchthat defined(kb'[ubDH, ub], a'[ubDH, ub]) && a'[ubDH, ub] = a then event_abort ev_abort else + get prf_dh_val(=ia, jb, x, c) in event_abort ev_abort else let ka:bool = true in return(a) | foreach ia2 <= na2 do Oa2(jb <= nb, xa2: prf_in) := - let b': Z = b[jb] in - find u <= nb suchthat defined(kb[u],b[u]) && b' = b[u] then (* b' compromised *) return(prf(exp'(g, mult(b[jb], a)), xa2)) else + if defined(kb[jb]) then (* b[jb] compromised *) return(prf(exp'(g, mult(b[jb], a)), xa2)) else if defined(ka) then (* a compromised *) return(prf(exp'(g, mult(b[jb], a)), xa2)) else - (* At this point, a and b' are not compromised, and must never be compromised in the future *) - let ka': bool = true in - find vaDH <= na2 suchthat defined(b'[vaDH],xa2[vaDH],ca2[vaDH]) && b' = b'[vaDH] && xa2 = xa2[vaDH] then return(ca2[vaDH]) - orfind vbDH <= nb2, vb <= nb suchthat defined(b[vb], a'[vbDH, vb], xb2[vbDH, vb], cb2[vbDH, vb]) && b' = b[vb] && a = a'[vbDH, vb] && xa2 = xb2[vbDH, vb] then return(cb2[vbDH, vb]) else - ca2 <-R prf_out; return(ca2) | + (* At this point, a and b[jb] are not compromised, and must never be compromised in the future *) + get[unique] prf_dh_val(=ia, =jb, =xa2, c) in return(c) else + ca2 <-R prf_out; + insert prf_dh_val(ia, jb, xa2, ca2); + return(ca2) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) ) | foreach ib <= nb do b <-R Z; ( OB() := return(exp'(g,b)) | Ob() := (* Abort when b must not be compromised *) - find ubDH <= nb2 suchthat defined(kb'[ubDH]) then event_abort ev_abort - orfind uaDH <= na2, ua <= na suchthat defined(ka'[uaDH, ua], b'[uaDH, ua]) && b'[uaDH, ua] = b then event_abort ev_abort else + get prf_dh_val(ja, =ib, x, c) in event_abort ev_abort else let kb:bool = true in return(b) | foreach ib2 <= nb2 do Ob2(ja <= na, xb2: prf_in) := - let a': Z = a[ja] in - find u <= na suchthat defined(ka[u],a[u]) && a' = a[u] then (* a' compromised *) return(prf(exp'(g, mult(a[ja], b)), xb2)) else + if defined(ka[ja]) then (* a[ja] compromised *) return(prf(exp'(g, mult(a[ja], b)), xb2)) else if defined(kb) then (* b compromised *) return(prf(exp'(g, mult(a[ja], b)), xb2)) else - (* At this point, b and a' are not compromised, and must never be compromised in the future *) - let kb': bool = true in - find vbDH <= nb2 suchthat defined(a'[vbDH],xb2[vbDH],cb2[vbDH]) && a' = a'[vbDH] && xb2 = xb2[vbDH] then return(cb2[vbDH]) - orfind vaDH <= na2, va <= na suchthat defined(a[va], b'[vaDH, va], xa2[vaDH, va], ca2[vaDH, va]) && a' = a[va] && b = b'[vaDH, va] && xb2 = xa2[vaDH, va] then return(ca2[vaDH, va]) else - cb2 <-R prf_out; return(cb2) | + (* At this point, b and a[ja] are not compromised, and must never be compromised in the future *) + get[unique] prf_dh_val(=ja, =ib, =xb2, c) in return(c) else + cb2 <-R prf_out; + insert prf_dh_val(ja, ib, xb2, cb2); + return(cb2) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) := return(exp'(g, mult(b, x))) ). } +(* Same as PRF_ODH1, but with a single family of exponents instead of two. + More powerful, but may lead to a higher probability. *) + +def PRF_ODH1_single(G, Z, prf_in, prf_out, g, exp, exp', mult, prf, pPRF_ODH) { + +fun prf(G, prf_in): prf_out. + +(* The PRF-ODH1 assumption *) + +event ev_abort. +event square. + +param na, na1, na2, naDH9. + +table prf_dh_val(na, na, prf_in, prf_out). + +equiv(prf_odh(prf)) + foreach ia <= na do a <-R Z; ( + OA() := return(exp(g,a)) | + Oa() [10] := return(a) | + foreach ia2 <= na2 do Oa2(ja <= na, xa2: prf_in) [useful_change] := return(prf(exp(g, mult(a[ja], a)), xa2)) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) + ) +<=(na*(na-1)/2 * pPRF_ODH(time + (na + #Oa2 - 3 + #ODHa9)*time(exp) + (#Oa2 - 1) * time(prf, maxlength(xa2)), 2*na2))=> + foreach ia <= na do a <-R Z; ( + OA() := return(exp'(g,a)) | + Oa() := + (* Abort when a must not be compromised *) + get prf_dh_val(=ia, ja, x, c) in event_abort ev_abort else + get prf_dh_val(ja, =ia, x, c) in event_abort ev_abort else + let ka:bool = true in return(a) | + foreach ia2 <= na2 do Oa2(ja <= na, xa2: prf_in) := + if defined(ka[ja]) then (* a[ja] compromised *) return(prf(exp'(g, mult(a[ja], a)), xa2)) else + if defined(ka) then (* a compromised *) return(prf(exp'(g, mult(a[ja], a)), xa2)) else + if ja = ia then event_abort square else + (* At this point, a and a[ja] are not compromised, and must never be compromised in the future *) + get[unique] prf_dh_val(=ia, =ja, =xa2, c) in return(c) else + get[unique] prf_dh_val(=ja, =ia, =xa2, c) in return(c) else + ca2 <-R prf_out; + insert prf_dh_val(ia, ja, xa2, ca2); + return(ca2) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) + ). + +} + (* PRF-ODH2 is a consequence of GDH and ROM. It corresponds to mmPRF-ODH in https://eprint.iacr.org/2017/517, but again with several challenge queries using the same or different DH pairs and argument of the PRF. G, Z, g, exp, exp', mult are as in DH_basic. @@ -4255,6 +4728,8 @@ event ev_abort. param na, na1, na2, nb, nb1, nb2, naDH9, nbDH9. +table prf_dh_val(na, nb, prf_in, prf_out). + equiv(prf_odh(prf)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | @@ -4271,92 +4746,137 @@ equiv(prf_odh(prf)) foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) ) <=(na * nb * pPRF_ODH(time + - (na + nb + #Oa1 + #Ob1 + #Oa2 + #Ob2 - 3)*time(exp)+ - #Oa1*time(prf, maxlength(xa1))+#Ob1*time(prf, maxlength(xb1))+ - (#Oa2 + #Ob2 - 1)*time(prf, max(maxlength(xa2), maxlength(xb2))), + (na + nb + #Oa1 + #Ob1 + #Oa2 + #Ob2 - 3 + #ODHa9 + #ODHb9)*time(exp)+ + (#Oa1 + #Ob1 + #Oa2 + #Ob2 - 1)* + time(prf, max(maxlength(xa1), maxlength(xb1), maxlength(xa2), maxlength(xb2))), na1 + nb1 + na2 + nb2, na1 + nb1))=> foreach ia <= na do a <-R Z; ( OA() := return(exp'(g,a)) | Oa() := (* Abort when a must not be compromised *) - find uaDH <= na2 suchthat defined(ka'[uaDH]) then event_abort ev_abort - orfind uaDH <= na1 suchthat defined(ka''[uaDH]) then event_abort ev_abort - orfind ubDH <= nb2, ub <= nb suchthat defined(kb'[ubDH, ub], a'[ubDH, ub]) && a'[ubDH, ub] = a then event_abort ev_abort - orfind ubDH <= nb1, ub <= nb suchthat defined(kb''[ubDH, ub], a''[ubDH, ub]) && a''[ubDH, ub] = a then event_abort ev_abort else + get prf_dh_val(=ia, jb, x, c) in event_abort ev_abort else let ka:bool = true in return(a) | foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) := find j' <= nb suchthat defined(b[j']) && ma1 = exp'(g, b[j']) then ( (* In this case, that's the same as Oa2 *) - let b'': Z = b[j'] in - find u <= nb suchthat defined(kb[u],b[u]) && b'' = b[u] then (* b'' compromised *) return(prf(exp'(ma1, a), xa1)) else + if defined(kb[j']) then (* b[j'] compromised *) return(prf(exp'(ma1, a), xa1)) else if defined(ka) then (* a compromised *) return(prf(exp'(ma1, a), xa1)) else - (* At this point, a and b'' are not compromised, and must never be compromised in the future *) - let ka'': bool = true in - find vaDH <= na1 suchthat defined(b''[vaDH],xa1[vaDH],ca1[vaDH]) && b'' = b''[vaDH] && xa1 = xa1[vaDH] then return(ca1[vaDH]) - orfind vaDH <= na2 suchthat defined(b'[vaDH],xa2[vaDH],ca2[vaDH]) && b'' = b'[vaDH] && xa1 = xa2[vaDH] then return(ca2[vaDH]) - orfind vbDH <= nb1, vb <= nb suchthat defined(b[vb], a''[vbDH, vb], xb1[vbDH, vb], cb1[vbDH, vb]) && b'' = b[vb] && a = a''[vbDH, vb] && xa1 = xb1[vbDH, vb] then return(cb1[vbDH, vb]) - orfind vbDH <= nb2, vb <= nb suchthat defined(b[vb], a'[vbDH, vb], xb2[vbDH, vb], cb2[vbDH, vb]) && b'' = b[vb] && a = a'[vbDH, vb] && xa1 = xb2[vbDH, vb] then return(cb2[vbDH, vb]) else - ca1 <-R prf_out; return(ca1) + (* At this point, a and b[j'] are not compromised, and must never be compromised in the future *) + get[unique] prf_dh_val(=ia, =j', =xa1, c) in return(c) else + ca1 <-R prf_out; + insert prf_dh_val(ia, j', xa1, ca1); + return(ca1) ) else return(prf(exp'(ma1, a), xa1)) | foreach ia2 <= na2 do Oa2(jb <= nb, xa2: prf_in) := - let b': Z = b[jb] in - find u <= nb suchthat defined(kb[u],b[u]) && b' = b[u] then (* b' compromised *) return(prf(exp'(g, mult(b[jb], a)), xa2)) else + if defined(kb[jb]) then (* b[jb] compromised *) return(prf(exp'(g, mult(b[jb], a)), xa2)) else if defined(ka) then (* a compromised *) return(prf(exp'(g, mult(b[jb], a)), xa2)) else (* At this point, a and b' are not compromised, and must never be compromised in the future *) - let ka': bool = true in - find vaDH <= na1 suchthat defined(b''[vaDH],xa1[vaDH],ca1[vaDH]) && b' = b''[vaDH] && xa2 = xa1[vaDH] then return(ca1[vaDH]) - orfind vaDH <= na2 suchthat defined(b'[vaDH],xa2[vaDH],ca2[vaDH]) && b' = b'[vaDH] && xa2 = xa2[vaDH] then return(ca2[vaDH]) - orfind vbDH <= nb1, vb <= nb suchthat defined(b[vb], a''[vbDH, vb], xb1[vbDH, vb], cb1[vbDH, vb]) && b' = b[vb] && a = a''[vbDH, vb] && xa2 = xb1[vbDH, vb] then return(cb1[vbDH, vb]) - orfind vbDH <= nb2, vb <= nb suchthat defined(b[vb], a'[vbDH, vb], xb2[vbDH, vb], cb2[vbDH, vb]) && b' = b[vb] && a = a'[vbDH, vb] && xa2 = xb2[vbDH, vb] then return(cb2[vbDH, vb]) else - ca2 <-R prf_out; return(ca2) | + get[unique] prf_dh_val(=ia, =jb, =xa2, c) in return(c) else + ca2 <-R prf_out; + insert prf_dh_val(ia, jb, xa2, ca2); + return(ca2) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) ) | foreach ib <= nb do b <-R Z; ( OB() := return(exp'(g,b)) | Ob() := (* Abort when b must not be compromised *) - find ubDH <= nb2 suchthat defined(kb'[ubDH]) then event_abort ev_abort - orfind ubDH <= nb1 suchthat defined(kb''[ubDH]) then event_abort ev_abort - orfind uaDH <= na2, ua <= na suchthat defined(ka'[uaDH, ua], b'[uaDH, ua]) && b'[uaDH, ua] = b then event_abort ev_abort - orfind uaDH <= na1, ua <= na suchthat defined(ka''[uaDH, ua], b''[uaDH, ua]) && b''[uaDH, ua] = b then event_abort ev_abort else + get prf_dh_val(ja, =ib, x, c) in event_abort ev_abort else let kb:bool = true in return(b) | foreach ib1 <= nb1 do Ob1(mb1:G, xb1:prf_in) := find j' <= na suchthat defined(a[j']) && mb1 = exp'(g, a[j']) then ( (* In this case, that's the same as Oa2 *) - let a'': Z = a[j'] in - find u <= na suchthat defined(ka[u],a[u]) && a'' = a[u] then (* a'' compromised *) return(prf(exp'(mb1, b), xb1)) else + if defined(ka[j']) then (* a[j'] compromised *) return(prf(exp'(mb1, b), xb1)) else if defined(kb) then (* b compromised *) return(prf(exp'(mb1, b), xb1)) else - (* At this point, b and a'' are not compromised, and must never be compromised in the future *) - let kb'': bool = true in - find vbDH <= nb1 suchthat defined(a''[vbDH],xb1[vbDH],cb1[vbDH]) && a'' = a''[vbDH] && xb1 = xb1[vbDH] then return(cb1[vbDH]) - orfind vbDH <= nb2 suchthat defined(a'[vbDH],xb2[vbDH],cb2[vbDH]) && a'' = a'[vbDH] && xb1 = xb2[vbDH] then return(cb2[vbDH]) - orfind vaDH <= na1, va <= na suchthat defined(a[va], b''[vaDH, va], xa1[vaDH, va], ca1[vaDH, va]) && a'' = a[va] && b = b''[vaDH, va] && xb1 = xa1[vaDH, va] then return(ca1[vaDH, va]) - orfind vaDH <= na2, va <= na suchthat defined(a[va], b'[vaDH, va], xa2[vaDH, va], ca2[vaDH, va]) && a'' = a[va] && b = b'[vaDH, va] && xb1 = xa2[vaDH, va] then return(ca2[vaDH, va]) else - cb1 <-R prf_out; return(cb1) + (* At this point, b and a[j'] are not compromised, and must never be compromised in the future *) + get[unique] prf_dh_val(=j', =ib, =xb1, c) in return(c) else + cb1 <-R prf_out; + insert prf_dh_val(j', ib, xb1, cb1); + return(cb1) ) else return(prf(exp'(mb1, b), xb1)) | foreach ib2 <= nb2 do Ob2(ja <= na, xb2: prf_in) := - let a': Z = a[ja] in - find u <= na suchthat defined(ka[u],a[u]) && a' = a[u] then (* a' compromised *) return(prf(exp'(g, mult(a[ja], b)), xb2)) else + if defined(ka[ja]) then (* a[ja] compromised *) return(prf(exp'(g, mult(a[ja], b)), xb2)) else if defined(kb) then (* b compromised *) return(prf(exp'(g, mult(a[ja], b)), xb2)) else - (* At this point, b and a' are not compromised, and must never be compromised in the future *) - let kb': bool = true in - find vbDH <= nb1 suchthat defined(a''[vbDH],xb1[vbDH],cb1[vbDH]) && a' = a''[vbDH] && xb2 = xb1[vbDH] then return(cb1[vbDH]) - orfind vbDH <= nb2 suchthat defined(a'[vbDH],xb2[vbDH],cb2[vbDH]) && a' = a'[vbDH] && xb2 = xb2[vbDH] then return(cb2[vbDH]) - orfind vaDH <= na1, va <= na suchthat defined(a[va], b''[vaDH, va], xa1[vaDH, va], ca1[vaDH, va]) && a' = a[va] && b = b''[vaDH, va] && xb2 = xa1[vaDH, va] then return(ca1[vaDH, va]) - orfind vaDH <= na2, va <= na suchthat defined(a[va], b'[vaDH, va], xa2[vaDH, va], ca2[vaDH, va]) && a' = a[va] && b = b'[vaDH, va] && xb2 = xa2[vaDH, va] then return(ca2[vaDH, va]) else - cb2 <-R prf_out; return(cb2) | + (* At this point, b and a[ja] are not compromised, and must never be compromised in the future *) + get[unique] prf_dh_val(=ja, =ib, =xb2, c) in return(c) else + cb2 <-R prf_out; + insert prf_dh_val(ja, ib, xb2, cb2); + return(cb2) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) := return(exp'(g, mult(b, x))) ). } +(* Same as PRF_ODH2, but with a single family of exponents instead of two. + More powerful, but may lead to a higher probability. *) + +def PRF_ODH2_single(G, Z, prf_in, prf_out, g, exp, exp', mult, prf, pPRF_ODH) { + +fun prf(G, prf_in): prf_out. + +(* The PRF-ODH2 assumption *) + +event ev_abort. + +param na, na1, na2, naDH9. + +table prf_dh_val(na, na, prf_in, prf_out). + +equiv(prf_odh(prf)) + foreach ia <= na do a <-R Z; ( + OA() := return(exp(g,a)) | + Oa() [10] := return(a) | + foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) := return(prf(exp(ma1, a), xa1)) | + foreach ia2 <= na2 do Oa2(ja <= na, xa2: prf_in) [useful_change] := return(prf(exp(g, mult(a[ja], a)), xa2)) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) + ) +<=(na*(na-1)/2 * pPRF_ODH(time + (na + #Oa1 + #Oa2 - 3 + #ODHa9)*time(exp) + + (#Oa1 + #Oa2 - 1) * time(prf, max(maxlength(xa1), maxlength(xa2))), 2*na2, 2*na1))=> + foreach ia <= na do a <-R Z; ( + OA() := return(exp'(g,a)) | + Oa() := + (* Abort when a must not be compromised *) + get prf_dh_val(=ia, ja, x, c) in event_abort ev_abort else + get prf_dh_val(ja, =ia, x, c) in event_abort ev_abort else + let ka:bool = true in return(a) | + foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) := + find j' <= na suchthat defined(a[j']) && ma1 = exp'(g, a[j']) then + ( + (* In this case, that's the same as Oa2 *) + if defined(ka[j']) then (* a[j'] compromised *) return(prf(exp'(ma1, a), xa1)) else + if defined(ka) then (* a compromised *) return(prf(exp'(ma1, a), xa1)) else + if j' = ia then (* square *) return(prf(exp'(ma1, a), xa1)) else + (* At this point, a and a[j'] are not compromised, and must never be compromised in the future *) + get[unique] prf_dh_val(=ia, =j', =xa1, c) in return(c) else + get[unique] prf_dh_val(=j', =ia, =xa1, c) in return(c) else + ca1 <-R prf_out; + insert prf_dh_val(ia, j', xa1, ca1); + return(ca1) + ) + else + return(prf(exp'(ma1, a), xa1)) | + foreach ia2 <= na2 do Oa2(ja <= na, xa2: prf_in) := + if defined(ka[ja]) then (* a[ja] compromised *) return(prf(exp'(g, mult(a[ja], a)), xa2)) else + if defined(ka) then (* a compromised *) return(prf(exp'(g, mult(a[ja], a)), xa2)) else + if ja = ia then (* square *) return(prf(exp'(g, mult(a[ja], a)), xa2)) else + (* At this point, a and a[ja] are not compromised, and must never be compromised in the future *) + get[unique] prf_dh_val(=ia, =ja, =xa2, c) in return(c) else + get[unique] prf_dh_val(=ja, =ia, =xa2, c) in return(c) else + ca2 <-R prf_out; + insert prf_dh_val(ia, ja, xa2, ca2); + return(ca2) | + foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) + ). + +} + (* square PRF-ODH1 and PRF-ODH1 This is a "square" variant of PRF_ODH1. @@ -4386,6 +4906,8 @@ event ev_abort. param na, na1, na2, naDH9. +table prf_dh_val(na, na, prf_in, prf_out). + equiv(prf_odh(prf)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | @@ -4393,24 +4915,24 @@ equiv(prf_odh(prf)) foreach ia2 <= na2 do Oa2(ja <= na, xa2: prf_in) [useful_change] := return(prf(exp(g, mult(a[ja], a)), xa2)) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(na * pSQPRF_ODH(time + (na + #Oa2 - 2)*time(exp) + (#Oa2 - 1) * time(prf, maxlength(xa2)), na2) + - na*(na-1)/2 * pPRF_ODH(time + (na + #Oa2 - 3)*time(exp) + (#Oa2 - 1) * time(prf, maxlength(xa2)), 2*na2))=> +<=(na * pSQPRF_ODH(time + (na + #Oa2 - 2 + #ODHa9)*time(exp) + (#Oa2 - 1) * time(prf, maxlength(xa2)), na2) + + na*(na-1)/2 * pPRF_ODH(time + (na + #Oa2 - 3 + #ODHa9)*time(exp) + (#Oa2 - 1) * time(prf, maxlength(xa2)), 2*na2))=> foreach ia <= na do a <-R Z; ( OA() := return(exp'(g,a)) | Oa() := (* Abort when a must not be compromised *) - find uaDH <= na2 suchthat defined(ka'[uaDH]) then event_abort ev_abort - orfind uaDH <= na2, ua <= na suchthat defined(ka'[uaDH, ua], a'[uaDH, ua]) && a'[uaDH, ua] = a then event_abort ev_abort else + get prf_dh_val(=ia, ja, x, c) in event_abort ev_abort else + get prf_dh_val(ja, =ia, x, c) in event_abort ev_abort else let ka:bool = true in return(a) | foreach ia2 <= na2 do Oa2(ja <= na, xa2: prf_in) := - let a': Z = a[ja] in - find u <= na suchthat defined(ka[u],a[u]) && a' = a[u] then (* a' compromised *) return(prf(exp'(g, mult(a[ja], a)), xa2)) else + if defined(ka[ja]) then (* a[ja] compromised *) return(prf(exp'(g, mult(a[ja], a)), xa2)) else if defined(ka) then (* a compromised *) return(prf(exp'(g, mult(a[ja], a)), xa2)) else - (* At this point, a and a' are not compromised, and must never be compromised in the future *) - let ka': bool = true in - find vaDH <= na2 suchthat defined(a'[vaDH],xa2[vaDH],ca2[vaDH]) && a' = a'[vaDH] && xa2 = xa2[vaDH] then return(ca2[vaDH]) - orfind vaDH <= na2, va <= na suchthat defined(a[va], a'[vaDH, va], xa2[vaDH, va], ca2[vaDH, va]) && a' = a[va] && a = a'[vaDH, va] && xa2 = xa2[vaDH, va] then return(ca2[vaDH, va]) else - ca2 <-R prf_out; return(ca2) | + (* At this point, a and a[ja] are not compromised, and must never be compromised in the future *) + get[unique] prf_dh_val(=ia, =ja, =xa2, c) in return(c) else + get[unique] prf_dh_val(=ja, =ia, =xa2, c) in return(c) else + ca2 <-R prf_out; + insert prf_dh_val(ia, ja, xa2, ca2); + return(ca2) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) ). @@ -4447,6 +4969,8 @@ event ev_abort. param na, na1, na2, naDH9. +table prf_dh_val(na, na, prf_in, prf_out). + equiv(prf_odh(prf)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | @@ -4455,45 +4979,41 @@ equiv(prf_odh(prf)) foreach ia2 <= na2 do Oa2(ja <= na, xa2: prf_in) [useful_change] := return(prf(exp(g, mult(a[ja], a)), xa2)) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(na * pSQPRF_ODH(time + (na + #Oa1 + #Oa2 - 2)*time(exp) + #Oa1 * time(prf, maxlength(xa1)) + (#Oa2 - 1) * time(prf, maxlength(xa2)), na2, na1) + - na*(na-1)/2 * pPRF_ODH(time + (na + #Oa1 + #Oa2 - 3)*time(exp) + #Oa1 * time(prf, maxlength(xa1)) + (#Oa2 - 1) * time(prf, maxlength(xa2)), 2*na2, 2*na1))=> +<=(na * pSQPRF_ODH(time + (na + #Oa1 + #Oa2 - 2 + #ODHa9)*time(exp) + + (#Oa1 + #Oa2 - 1) * time(prf, max(maxlength(xa1),maxlength(xa2))), na2, na1) + + na*(na-1)/2 * pPRF_ODH(time + (na + #Oa1 + #Oa2 - 3 + #ODHa9)*time(exp) + + (#Oa1 + #Oa2 - 1) * time(prf, max(maxlength(xa1), maxlength(xa2))), 2*na2, 2*na1))=> foreach ia <= na do a <-R Z; ( OA() := return(exp'(g,a)) | Oa() := (* Abort when a must not be compromised *) - find uaDH <= na2 suchthat defined(ka'[uaDH]) then event_abort ev_abort - orfind uaDH <= na1 suchthat defined(ka''[uaDH]) then event_abort ev_abort - orfind uaDH <= na2, ua <= na suchthat defined(ka'[uaDH, ua], a'[uaDH, ua]) && a'[uaDH, ua] = a then event_abort ev_abort - orfind uaDH <= na1, ua <= na suchthat defined(ka''[uaDH, ua], a''[uaDH, ua]) && a''[uaDH, ua] = a then event_abort ev_abort else + get prf_dh_val(=ia, ja, x, c) in event_abort ev_abort else + get prf_dh_val(ja, =ia, x, c) in event_abort ev_abort else let ka:bool = true in return(a) | foreach ia1 <= na1 do Oa1(ma1:G, xa1:prf_in) := find j' <= na suchthat defined(a[j']) && ma1 = exp'(g, a[j']) then ( (* In this case, that's the same as Oa2 *) - let a'': Z = a[j'] in - find u <= na suchthat defined(ka[u],a[u]) && a'' = a[u] then (* a'' compromised *) return(prf(exp'(ma1, a), xa1)) else + if defined(ka[j']) then (* a[j'] compromised *) return(prf(exp'(ma1, a), xa1)) else if defined(ka) then (* a compromised *) return(prf(exp'(ma1, a), xa1)) else - (* At this point, a and a'' are not compromised, and must never be compromised in the future *) - let ka'': bool = true in - find vaDH <= na1 suchthat defined(a''[vaDH],xa1[vaDH],ca1[vaDH]) && a'' = a''[vaDH] && xa1 = xa1[vaDH] then return(ca1[vaDH]) - orfind vaDH <= na2 suchthat defined(a'[vaDH],xa2[vaDH],ca2[vaDH]) && a'' = a'[vaDH] && xa1 = xa2[vaDH] then return(ca2[vaDH]) - orfind vaDH <= na1, va <= na suchthat defined(a[va], a''[vaDH, va], xa1[vaDH, va], ca1[vaDH, va]) && a'' = a[va] && a = a''[vaDH, va] && xa1 = xa1[vaDH, va] then return(ca1[vaDH, va]) - orfind vaDH <= na2, va <= na suchthat defined(a[va], a'[vaDH, va], xa2[vaDH, va], ca2[vaDH, va]) && a'' = a[va] && a = a'[vaDH, va] && xa1 = xa2[vaDH, va] then return(ca2[vaDH, va]) else - ca1 <-R prf_out; return(ca1) + (* At this point, a and a[j'] are not compromised, and must never be compromised in the future *) + get[unique] prf_dh_val(=ia, =j', =xa1, c) in return(c) else + get[unique] prf_dh_val(=j', =ia, =xa1, c) in return(c) else + ca1 <-R prf_out; + insert prf_dh_val(ia, j', xa1, ca1); + return(ca1) ) else return(prf(exp'(ma1, a), xa1)) | foreach ia2 <= na2 do Oa2(ja <= na, xa2: prf_in) := - let a': Z = a[ja] in - find u <= na suchthat defined(ka[u],a[u]) && a' = a[u] then (* a' compromised *) return(prf(exp'(g, mult(a[ja], a)), xa2)) else + if defined(ka[ja]) then (* a[ja] compromised *) return(prf(exp'(g, mult(a[ja], a)), xa2)) else if defined(ka) then (* a compromised *) return(prf(exp'(g, mult(a[ja], a)), xa2)) else - (* At this point, a and a' are not compromised, and must never be compromised in the future *) - let ka': bool = true in - find vaDH <= na1 suchthat defined(a''[vaDH],xa1[vaDH],ca1[vaDH]) && a' = a''[vaDH] && xa2 = xa1[vaDH] then return(ca1[vaDH]) - orfind vaDH <= na2 suchthat defined(a'[vaDH],xa2[vaDH],ca2[vaDH]) && a' = a'[vaDH] && xa2 = xa2[vaDH] then return(ca2[vaDH]) - orfind vaDH <= na1, va <= na suchthat defined(a[va], a''[vaDH, va], xa1[vaDH, va], ca1[vaDH, va]) && a' = a[va] && a = a''[vaDH, va] && xa2 = xa1[vaDH, va] then return(ca1[vaDH, va]) - orfind vaDH <= na2, va <= na suchthat defined(a[va], a'[vaDH, va], xa2[vaDH, va], ca2[vaDH, va]) && a' = a[va] && a = a'[vaDH, va] && xa2 = xa2[vaDH, va] then return(ca2[vaDH, va]) else - ca2 <-R prf_out; return(ca2) | + (* At this point, a and a[ja] are not compromised, and must never be compromised in the future *) + get[unique] prf_dh_val(=ia, =ja, =xa2, c) in return(c) else + get[unique] prf_dh_val(=ja, =ia, =xa2, c) in return(c) else + ca2 <-R prf_out; + insert prf_dh_val(ia, ja, xa2, ca2); + return(ca2) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp'(g, mult(a, x))) ). @@ -5135,2916 +5655,2916 @@ letfun dec(e_nonce: ciphertext, d: add_data, k: key) = bottom. } -(******************************* Hash functions (ROM) ****************************) - -(* Hash function in the random oracle model - key: type of the key of the hash function, which models the choice of the hash function, must be "bounded", typically "fixed" - input%: type of the %-th input of the hash function - output: type of the output of the hash function, must be "bounded" or "nonuniform" (typically "fixed"). - - f: the hash function. - WARNING: f is a keyed hash function. - The key must be generated once and for all at the beginning of the game - and the hash oracle must be made available to the adversary, - by including the process f_oracle(k) where k is the key. - qH is the number of calls to f_oracle. - - The types key, input%, and output must be declared before - this macro. The function f, the process f_oracle, and - the parameter qH are defined by this macro. They must not - be declared elsewhere, and they can be used only after expanding the - macro. - - *) - -def ROM_hash_1(key, input1, output, f, f_oracle, qH) { - -fun f(key, input1):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1) := - return(f(k, x1)). - -} - -def ROM_hash_2(key, input1, input2, output, f, f_oracle, qH) { - -fun f(key, input1, input2):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2) := - return(f(k, x1, x2)). - -} - -def ROM_hash_3(key, input1, input2, input3, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3) := - return(f(k, x1, x2, x3)). - -} - -def ROM_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4) := - return(f(k, x1, x2, x3, x4)). - -} - -def ROM_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := - return(f(k, x1, x2, x3, x4, x5)). - -} - -def ROM_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := - return(f(k, x1, x2, x3, x4, x5, x6)). - -} - -def ROM_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := - return(f(k, x1, x2, x3, x4, x5, x6, x7)). - -} - -def ROM_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). - -} - -def ROM_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). - -} - -def ROM_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). - -} - -def ROM_hash(key, input, output, f, f_oracle, qH) { -expand ROM_hash_1(key, input, output, f, f_oracle, qH). -} - -(* ROM with large output. - The only difference with ROM is that we eliminate collisions on the output. - The interface is the same as for ROMs. *) - -def ROM_hash_large_1(key, input1, output, f, f_oracle, qH) { - -fun f(key, input1):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1) := - return(f(k, x1)). - -} - -def ROM_hash_large_2(key, input1, input2, output, f, f_oracle, qH) { - -fun f(key, input1, input2):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2) := - return(f(k, x1, x2)). - -} - -def ROM_hash_large_3(key, input1, input2, input3, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3) := - return(f(k, x1, x2, x3)). - -} - -def ROM_hash_large_4(key, input1, input2, input3, input4, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4) := - return(f(k, x1, x2, x3, x4)). - -} - -def ROM_hash_large_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := - return(f(k, x1, x2, x3, x4, x5)). - -} - -def ROM_hash_large_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := - return(f(k, x1, x2, x3, x4, x5, x6)). - -} - -def ROM_hash_large_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := - return(f(k, x1, x2, x3, x4, x5, x6, x7)). - -} - -def ROM_hash_large_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). - -} - -def ROM_hash_large_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). - -} - -def ROM_hash_large_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). - -equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). - -} - -def ROM_hash_large(key, input, output, f, f_oracle, qH) { -expand ROM_hash_large_1(key, input, output, f, f_oracle, qH). -} - -(* Collision resistant hash function - key: type of the key of the hash function, must be "bounded" or "nonuniform", typically "fixed" - input%: type of the %-th input of the hash function - output: type of the output of the hash function - - f: the hash function. - Phash: probability of breaking collision resistance. - WARNING: A collision resistant hash function is a keyed hash function. - The key must be generated once and for all at the beginning of the game, - and immediately made available to the adversary, for instance by - including the process f_oracle(k), where k is the key. - - The types key, input%, output, and the probability Phash - must be declared before this macro. The function f and the - process f_oracle are defined by this macro. They must not be - declared elsewhere, and they can be used only after expanding the - macro. - - *) - -def CollisionResistant_hash_1(key, input1, output, f, f_oracle, Phash) { - -fun f(key, input1):output. - -collision k <-R key; forall x1:input1, y1:input1; - return(f(k, x1) = f(k, y1)) <=(Phash(time))=> return((x1 = y1)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_2(key, input1, input2, output, f, f_oracle, Phash) { - -fun f(key, input1, input2):output. - -collision k <-R key; forall x1:input1, x2:input2, y1:input1, y2:input2; - return(f(k, x1, x2) = f(k, y1, y2)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, y1:input1, y2:input2, y3:input3; - return(f(k, x1, x2, x3) = f(k, y1, y2, y3)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, y1:input1, y2:input2, y3:input3, y4:input4; - return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5; - return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6; - return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7; - return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8; - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9; - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10; - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def CollisionResistant_hash(key, input, output, f, f_oracle, Phash) { -expand CollisionResistant_hash_1(key, input, output, f, f_oracle, Phash). -} - -(* Hidden-key collision resistant hash function - The interface is similar to collision-resistant hash functions, except for the addition of qH. - WARNING: A hidden-key collision resistant hash function is a keyed hash function. - The key must be generated once and for all at the beginning of the game, - and the hash oracle must be made available to the adversary, - by including the process f_oracle(k) where k is the key. - qH is the number of calls to f_oracle. - Phash(t,N): probability of breaking collision resistance - for an adversary that runs in time at most t - and calls the hash oracle at most N times. *) - -def HiddenKeyCollisionResistant_hash_1(key, input1, output, f, f_oracle, qH, Phash) { - -fun f(key, input1):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1) := return(f(k, x1)) | - foreach i <= Ncoll do Ocoll(x1:input1, y1:input1) [useful_change] := return(f(k, x1) = f(k, y1))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1) := return(f(k, x1)) | - foreach i <= Ncoll do Ocoll(x1:input1, y1:input1) := return((x1 = y1))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1) := - return(f(k, x1)). - -} - -def HiddenKeyCollisionResistant_hash_2(key, input1, input2, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2) := return(f(k, x1, x2)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, y1:input1, y2:input2) [useful_change] := return(f(k, x1, x2) = f(k, y1, y2))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2) := return(f(k, x1, x2)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, y1:input1, y2:input2) := return((x1 = y1) && (x2 = y2))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2) := - return(f(k, x1, x2)). - -} - -def HiddenKeyCollisionResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3) := return(f(k, x1, x2, x3)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, y1:input1, y2:input2, y3:input3) [useful_change] := return(f(k, x1, x2, x3) = f(k, y1, y2, y3))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3) := return(f(k, x1, x2, x3)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, y1:input1, y2:input2, y3:input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3) := - return(f(k, x1, x2, x3)). - -} - -def HiddenKeyCollisionResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4) := return(f(k, x1, x2, x3, x4)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, y1:input1, y2:input2, y3:input3, y4:input4) [useful_change] := return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4) := return(f(k, x1, x2, x3, x4)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, y1:input1, y2:input2, y3:input3, y4:input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4) := - return(f(k, x1, x2, x3, x4)). - -} - -def HiddenKeyCollisionResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5) := return(f(k, x1, x2, x3, x4, x5)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) [useful_change] := return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5) := return(f(k, x1, x2, x3, x4, x5)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := - return(f(k, x1, x2, x3, x4, x5)). - -} - -def HiddenKeyCollisionResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6) := return(f(k, x1, x2, x3, x4, x5, x6)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6) := return(f(k, x1, x2, x3, x4, x5, x6)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := - return(f(k, x1, x2, x3, x4, x5, x6)). - -} - -def HiddenKeyCollisionResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7) := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7) := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := - return(f(k, x1, x2, x3, x4, x5, x6, x7)). - -} - -def HiddenKeyCollisionResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). - -} - -def HiddenKeyCollisionResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). - -} - -def HiddenKeyCollisionResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -param N, Ncoll. - -equiv(collision_res(f)) - k <-R key; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10))) - <=(Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). - -} - -def HiddenKeyCollisionResistant_hash(key, input, output, f, f_oracle, qH, Phash) { -expand HiddenKeyCollisionResistant_hash_1(key, input, output, f, f_oracle, qH, Phash). - } - -(* Second-preimage-resistant hash function - The interface is the same as for collision-resistant hash functions. - *) - -def SecondPreimageResistant_hash_1(key, input1, output, f, f_oracle, Phash) { - -fun f(key, input1):output. - -collision k <-R key; x1 <-R input1; forall y1:input1; - return(f(k, x1) = f(k, y1)) <=(Phash(time))=> return((x1 = y1)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, Phash) { - -fun f(key, input1, input2):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; forall y1:input1, y2:input2; - return(f(k, x1, x2) = f(k, y1, y2)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; forall y1:input1, y2:input2, y3:input3; - return(f(k, x1, x2, x3) = f(k, y1, y2, y3)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; forall y1:input1, y2:input2, y3:input3, y4:input4; - return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5; - return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6; - return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7; - return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8; - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9; - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10; - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def SecondPreimageResistant_hash(key, input, output, f, f_oracle, Phash) { -expand SecondPreimageResistant_hash_1(key, input, output, f, f_oracle, Phash). -} - -(* Hidden key second-preimage-resistant hash function - The interface is the same as for hidden-key collision-resistant hash functions. - *) - -def HiddenKeySecondPreimageResistant_hash_1(key, input1, output, f, f_oracle, qH, Phash) { - -fun f(key, input1):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1) := return(f(k, z1)) | - foreach i <= Nx do x1 <-R input1; - (Ox1() := return(x1) | - foreach i <= Ncoll do Ocoll(y1:input1) [useful_change] := return(f(k, x1) = f(k, y1)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1) := return(f(k, z1)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; - (Ox1() := return(x1) | - foreach i <= Ncoll do Ocoll(y1:input1) := return((x1 = y1)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1) := - return(f(k, x1)). - -} - -def HiddenKeySecondPreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; - (Ox1() := return(x1) | Ox2() := return(x2) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2) [useful_change] := return(f(k, x1, x2) = f(k, y1, y2)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2) := return((x1 = y1) && (x2 = y2)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2) := - return(f(k, x1, x2)). - -} - -def HiddenKeySecondPreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3) [useful_change] := return(f(k, x1, x2, x3) = f(k, y1, y2, y3)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3) := - return(f(k, x1, x2, x3)). - -} - -def HiddenKeySecondPreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4) [useful_change] := return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4) := - return(f(k, x1, x2, x3, x4)). - -} - -def HiddenKeySecondPreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) [useful_change] := return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := - return(f(k, x1, x2, x3, x4, x5)). - -} - -def HiddenKeySecondPreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := - return(f(k, x1, x2, x3, x4, x5, x6)). - -} - -def HiddenKeySecondPreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := - return(f(k, x1, x2, x3, x4, x5, x6, x7)). - -} - -def HiddenKeySecondPreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; x8 <-R input8 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). - -} - -def HiddenKeySecondPreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; x8 <-R input8 [unchanged]; x9 <-R input9 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). - -} - -def HiddenKeySecondPreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -param N, Nx, Ncoll. - -equiv(second_pre_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)))) - <=(Nx * Phash(time, N))=> [computational] - k <-R key [unchanged]; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | - foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; x8 <-R input8 [unchanged]; x9 <-R input9 [unchanged]; x10 <-R input10 [unchanged]; - (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10) | - foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). - -} - -def HiddenKeySecondPreimageResistant_hash(key, input, output, f, f_oracle, qH, Phash) { -expand HiddenKeySecondPreimageResistant_hash_1(key, input, output, f, f_oracle, qH, Phash). - } - -(* Fixed-hash second-preimage-resistant hash function - input%: type of the %-th input of the hash function - output: type of the output of the hash function - - f(input...):output : the hash function. (It is not keyed.) - Phash: probability of breaking second-preimage resistance. - - The types input%, output, and the probability Phash - must be declared before this macro. The function f - is defined by this macro. It must not be - declared elsewhere, and it can be used only after expanding the - macro. - *) - -def FixedSecondPreimageResistant_hash_1(input1, output, f, Phash) { - -fun f(input1):output. - -collision x1 <-R input1; forall y1:input1; - return(f(x1) = f(y1)) <=(Phash(time))=> return((x1 = y1)). - -} - -def FixedSecondPreimageResistant_hash_2(input1, input2, output, f, Phash) { - -fun f(input1, input2):output. - -collision x1 <-R input1; x2 <-R input2; forall y1:input1, y2:input2; - return(f(x1, x2) = f(y1, y2)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2)). - -} - -def FixedSecondPreimageResistant_hash_3(input1, input2, input3, output, f, Phash) { - -fun f(input1, input2, input3):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; forall y1:input1, y2:input2, y3:input3; - return(f(x1, x2, x3) = f(y1, y2, y3)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3)). - -} - -def FixedSecondPreimageResistant_hash_4(input1, input2, input3, input4, output, f, Phash) { - -fun f(input1, input2, input3, input4):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; forall y1:input1, y2:input2, y3:input3, y4:input4; - return(f(x1, x2, x3, x4) = f(y1, y2, y3, y4)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)). - -} - -def FixedSecondPreimageResistant_hash_5(input1, input2, input3, input4, input5, output, f, Phash) { - -fun f(input1, input2, input3, input4, input5):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5; - return(f(x1, x2, x3, x4, x5) = f(y1, y2, y3, y4, y5)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)). - -} - -def FixedSecondPreimageResistant_hash_6(input1, input2, input3, input4, input5, input6, output, f, Phash) { - -fun f(input1, input2, input3, input4, input5, input6):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6; - return(f(x1, x2, x3, x4, x5, x6) = f(y1, y2, y3, y4, y5, y6)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)). - -} - -def FixedSecondPreimageResistant_hash_7(input1, input2, input3, input4, input5, input6, input7, output, f, Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7; - return(f(x1, x2, x3, x4, x5, x6, x7) = f(y1, y2, y3, y4, y5, y6, y7)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)). - -} - -def FixedSecondPreimageResistant_hash_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7, input8):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8; - return(f(x1, x2, x3, x4, x5, x6, x7, x8) = f(y1, y2, y3, y4, y5, y6, y7, y8)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)). - -} - -def FixedSecondPreimageResistant_hash_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9; - return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(y1, y2, y3, y4, y5, y6, y7, y8, y9)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)). - -} - -def FixedSecondPreimageResistant_hash_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10; - return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)). - -} - -def FixedSecondPreimageResistant_hash(input, output, f, Phash) { -expand FixedSecondPreimageResistant_hash_1(input, output, f, Phash). -} - -(* preimage-resistant hash function - The interface is the same as for collision-resistant hash functions. - *) - -def PreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, Phash) { - -fun f(key, input1):output. - -fun f'(key, input1):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; - (Oim() := return(f(k, x1)) | - foreach i <= Neq do Oeq(y1: input1) := return((x1 = y1)) | - Ox1() := return(x1))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; - (Oim() := return(f'(k, x1)) | - foreach i <= Neq do Oeq(y1: input1) := - let r = (x1 = y1) in - find suchthat defined(comp1) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_1(key, input1, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2):output. - -fun f'(key, input1, input2):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; - (Oim() := return(f(k, x1, x2)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2) := return((x1 = y1) && (x2 = y2)) | - Ox1() := return(x1) | Ox2() := return(x2))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; - (Oim() := return(f'(k, x1, x2)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2) := - let r = (x1 = y1) && (x2 = y2) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3):output. - -fun f'(key, input1, input2, input3):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; - (Oim() := return(f(k, x1, x2, x3)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; - (Oim() := return(f'(k, x1, x2, x3)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4):output. - -fun f'(key, input1, input2, input3, input4):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; - (Oim() := return(f(k, x1, x2, x3, x4)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; - (Oim() := return(f'(k, x1, x2, x3, x4)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5):output. - -fun f'(key, input1, input2, input3, input4, input5):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; - (Oim() := return(f(k, x1, x2, x3, x4, x5)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; - (Oim() := return(f'(k, x1, x2, x3, x4, x5)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -fun f'(key, input1, input2, input3, input4, input5, input6):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -param Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10))) - <=(Nx * Phash(time))=> - k <-R key; - (Ok() := return(k) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) orfind suchthat defined(comp10) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9) | Ox10() := let comp10: bool = true in return(x10))). - -let f_oracle(k: key) = - OH() := return(k). - -} - -def PreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, Phash) { - expand PreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, Phash). -} - -def PreimageResistant_hash(key, input, output, f, f_oracle, Phash) { -expand PreimageResistant_hash_1(key, input, output, f, f_oracle, Phash). -} - -def PreimageResistant_hash_all_args(key, input, output, f, f', f_oracle, Phash) { -expand PreimageResistant_hash_all_args_1(key, input, output, f, f', f_oracle, Phash). -} - -(* Hidden key preimage-resistant hash function - The interface is the same as for hidden-key collision-resistant hash functions. - *) - -def HiddenKeyPreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1):output. - -fun f'(key, input1):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1) := return(f(k, z1)) | - foreach i <= Nx do x1 <-R input1; - (Oim() := return(f(k, x1)) | - foreach i <= Neq do Oeq(y1: input1) := return((x1 = y1)) | - Ox1() := return(x1))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1) := return(f(k, z1)) | - foreach i <= Nx do x1 <-R input1; - (Oim() := return(f'(k, x1)) | - foreach i <= Neq do Oeq(y1: input1) := - let r = (x1 = y1) in - find suchthat defined(comp1) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1) := - return(f(k, x1)). - -} - -def HiddenKeyPreimageResistant_hash_1(key, input1, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2):output. - -fun f'(key, input1, input2):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; - (Oim() := return(f(k, x1, x2)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2) := return((x1 = y1) && (x2 = y2)) | - Ox1() := return(x1) | Ox2() := return(x2))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; - (Oim() := return(f'(k, x1, x2)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2) := - let r = (x1 = y1) && (x2 = y2) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2) := - return(f(k, x1, x2)). - -} - -def HiddenKeyPreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3):output. - -fun f'(key, input1, input2, input3):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; - (Oim() := return(f(k, x1, x2, x3)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; - (Oim() := return(f'(k, x1, x2, x3)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3) := - return(f(k, x1, x2, x3)). - -} - -def HiddenKeyPreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4):output. - -fun f'(key, input1, input2, input3, input4):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; - (Oim() := return(f(k, x1, x2, x3, x4)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; - (Oim() := return(f'(k, x1, x2, x3, x4)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4) := - return(f(k, x1, x2, x3, x4)). - -} - -def HiddenKeyPreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5):output. - -fun f'(key, input1, input2, input3, input4, input5):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; - (Oim() := return(f(k, x1, x2, x3, x4, x5)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; - (Oim() := return(f'(k, x1, x2, x3, x4, x5)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := - return(f(k, x1, x2, x3, x4, x5)). - -} - -def HiddenKeyPreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -fun f'(key, input1, input2, input3, input4, input5, input6):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := - return(f(k, x1, x2, x3, x4, x5, x6)). - -} - -def HiddenKeyPreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := - return(f(k, x1, x2, x3, x4, x5, x6, x7)). - -} - -def HiddenKeyPreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). - -} - -def HiddenKeyPreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). - -} - -def HiddenKeyPreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, qH, Phash) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -param N, Nx, Neq. - -equiv(preimage_res(f)) - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; - (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10))) - <=(Nx * Phash(time, N))=> - k <-R key; - (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | - foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; - (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) orfind suchthat defined(comp10) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9) | Ox10() := let comp10: bool = true in return(x10))). - - -param qH [noninteractive]. - -let f_oracle(k: key) = - foreach iH <= qH do - OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := - return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). - -} - -def HiddenKeyPreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH, Phash) { - expand HiddenKeyPreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash(key, input, output, f, f_oracle, qH, Phash) { -expand HiddenKeyPreimageResistant_hash_1(key, input, output, f, f_oracle, qH, Phash). -} - -def HiddenKeyPreimageResistant_hash_all_args(key, input, output, f, f', f_oracle, qH, Phash) { -expand HiddenKeyPreimageResistant_hash_all_args_1(key, input, output, f, f', f_oracle, qH, Phash). -} - -(* Fixed-hash preimage-resistant hash function - The interface is the same as for fixed-hash second-preimage-resistant hash functions. - *) - -def FixedPreimageResistant_hash_all_args_1(input1, output, f, f', Phash) { - -fun f(input1):output. - -fun f'(input1):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; (Oim() := return(f(x1)) | - foreach i <= Neq do Oeq(y1: input1) := return((x1 = y1)) | - Ox1() := return(x1)) - <=(Phash(time))=> - x1 <-R input1; (Oim() := return(f'(x1)) | - foreach i <= Neq do Oeq(y1: input1) := - let r = (x1 = y1) in - find suchthat defined(comp1) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1)). - -} - -def FixedPreimageResistant_hash_1(input1, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_1(input1, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_2(input1, input2, output, f, f', Phash) { - -fun f(input1, input2):output. - -fun f'(input1, input2):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; (Oim() := return(f(x1, x2)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2) := return((x1 = y1) && (x2 = y2)) | - Ox1() := return(x1) | Ox2() := return(x2)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; (Oim() := return(f'(x1, x2)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2) := - let r = (x1 = y1) && (x2 = y2) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2)). - -} - -def FixedPreimageResistant_hash_2(input1, input2, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_2(input1, input2, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_3(input1, input2, input3, output, f, f', Phash) { - -fun f(input1, input2, input3):output. - -fun f'(input1, input2, input3):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; (Oim() := return(f(x1, x2, x3)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; (Oim() := return(f'(x1, x2, x3)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3)). - -} - -def FixedPreimageResistant_hash_3(input1, input2, input3, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_3(input1, input2, input3, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_4(input1, input2, input3, input4, output, f, f', Phash) { - -fun f(input1, input2, input3, input4):output. - -fun f'(input1, input2, input3, input4):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; (Oim() := return(f(x1, x2, x3, x4)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; (Oim() := return(f'(x1, x2, x3, x4)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4)). - -} - -def FixedPreimageResistant_hash_4(input1, input2, input3, input4, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_4(input1, input2, input3, input4, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_5(input1, input2, input3, input4, input5, output, f, f', Phash) { - -fun f(input1, input2, input3, input4, input5):output. - -fun f'(input1, input2, input3, input4, input5):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; (Oim() := return(f(x1, x2, x3, x4, x5)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; (Oim() := return(f'(x1, x2, x3, x4, x5)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5)). - -} - -def FixedPreimageResistant_hash_5(input1, input2, input3, input4, input5, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_5(input1, input2, input3, input4, input5, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_6(input1, input2, input3, input4, input5, input6, output, f, f', Phash) { - -fun f(input1, input2, input3, input4, input5, input6):output. - -fun f'(input1, input2, input3, input4, input5, input6):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; (Oim() := return(f(x1, x2, x3, x4, x5, x6)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; (Oim() := return(f'(x1, x2, x3, x4, x5, x6)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6)). - -} - -def FixedPreimageResistant_hash_6(input1, input2, input3, input4, input5, input6, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_6(input1, input2, input3, input4, input5, input6, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_7(input1, input2, input3, input4, input5, input6, input7, output, f, f', Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7):output. - -fun f'(input1, input2, input3, input4, input5, input6, input7):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7)). - -} - -def FixedPreimageResistant_hash_7(input1, input2, input3, input4, input5, input6, input7, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_7(input1, input2, input3, input4, input5, input6, input7, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7, input8):output. - -fun f'(input1, input2, input3, input4, input5, input6, input7, input8):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7, x8)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8)). - -} - -def FixedPreimageResistant_hash_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -fun f'(input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7, x8, x9)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9)). - -} - -def FixedPreimageResistant_hash_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', Phash). -} - -def FixedPreimageResistant_hash_all_args_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', Phash) { - -fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -fun f'(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -param Neq. - -equiv(preimage_res(f)) - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)) | - Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10)) - <=(Phash(time))=> - x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | - foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := - let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10) in - find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) orfind suchthat defined(comp10) then return(r) else return(false) | - Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9) | Ox10() := let comp10: bool = true in return(x10)). - -} - -def FixedPreimageResistant_hash_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Phash) { - expand FixedPreimageResistant_hash_all_args_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', Phash). -} - -def FixedPreimageResistant_hash(input, output, f, Phash) { -expand FixedPreimageResistant_hash_1(input, output, f, Phash). -} - -def FixedPreimageResistant_hash_all_args(input, output, f, f', Phash) { -expand FixedPreimageResistant_hash_all_args_1(input, output, f, f', Phash). -} - -(* Pseudo random function (PRF) - key: type of keys, must be "bounded" (to be able to generate random numbers from it, and to talk about the runtime of f without mentioned the length of the key), typically "fixed" and "large". - input%: type of the %-th input of the PRF. - output: type of the output of the PRF, must be "bounded" or "nonuniform", typically "fixed". - - f: PRF function - - Pprf(t, N, l): probability of breaking the PRF property - in time t, for one key, N queries to the PRF of length at most l. - - The types key, input, output and the probability Pprf must - be declared before this macro is expanded. The function f - is declared by this macro. It must not be declared elsewhere, - and it can be used only after expanding the macro. - - *) - -def PRF_1(key, input1, output, f, Pprf) { - -fun f(key, input1):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_2(key, input1, input2, output, f, Pprf) { - -fun f(key, input1, input2):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_3(key, input1, input2, input3, output, f, Pprf) { - -fun f(key, input1, input2, input3):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_4(key, input1, input2, input3, input4, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_5(key, input1, input2, input3, input4, input5, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_6(key, input1, input2, input3, input4, input5, input6, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. - - - -} - -def PRF(key, input, output, f, Pprf) { -expand PRF_1(key, input, output, f, Pprf). -} - -(* Pseudo random function (PRF) with large output. - The only difference with PRF is that we eliminate collisions on the output. - The interface is the same as for PRFs. *) - -def PRF_large_1(key, input1, output, f, Pprf) { - -fun f(key, input1):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_2(key, input1, input2, output, f, Pprf) { - -fun f(key, input1, input2):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_3(key, input1, input2, input3, output, f, Pprf) { - -fun f(key, input1, input2, input3):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_4(key, input1, input2, input3, input4, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_5(key, input1, input2, input3, input4, input5, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_6(key, input1, input2, input3, input4, input5, input6, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Pprf) { - -fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. - -equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). - -equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. - - - -} - -def PRF_large(key, input, output, f, Pprf) { -expand PRF_large_1(key, input, output, f, Pprf). -} - -(* Ideal Cipher Model - cipherkey: type of keys that correspond to the choice of the scheme, must be "bounded" or "nonuniform", typically "fixed". - key: type of keys (typically "large") - blocksize: type of the input and output of the cipher, must be "bounded" or "nonuniform" (to be able to generate random numbers from it; typically "fixed") and "large". - (The modeling of the ideal cipher model is not perfect in that, in - order to encrypt a new message, one chooses a fresh random number, - not necessarily different from previously generated random - numbers. Then CryptoVerif needs to eliminate collisions between - those random numbers, so blocksize must really be "large".) - - enc: encryption function - dec: decryption function - WARNING: the encryption and decryption functions take 2 keys as - input: the key of type cipherkey that corresponds to the choice of - the scheme, and the normal encryption/decryption key. The cipherkey - must be chosen once and for all at the beginning of the game and - the encryption and decryption oracles must be made available to the - adversary, by including a process enc_dec_oracle(ck) where - ck is the cipherkey. - qE is the number of calls of the encryption oracle - qD is the number of calls of the decryption oracle - - The types cipherkey, key, blocksize must be declared before this - macro is expanded. The functions enc, dec, the process - enc_dec_oracle, and the parameters qE, qD are declared by this - macro. They must not be declared elsewhere, and they can be used - only after expanding the macro. - - *) - -def ICM_cipher(cipherkey, key, blocksize, enc, dec, enc_dec_oracle, qE, qD) { - -fun enc(cipherkey, blocksize, key): blocksize. -fun dec(cipherkey, blocksize, key): blocksize. - -equation forall ck:cipherkey, m:blocksize, k:key; - dec(ck, enc(ck, m, k), k) = m. -equation forall ck:cipherkey, m:blocksize, k:key; - enc(ck, dec(ck, m, k), k) = m. -equation forall ck:cipherkey, m1:blocksize, m2:blocksize, k:key; - (dec(ck, m1, k) = dec(ck, m2, k)) = (m1 = m2). -equation forall ck:cipherkey, m1:blocksize, m2:blocksize, k:key; - (enc(ck, m1, k) = enc(ck, m2, k)) = (m1 = m2). - -equiv(icm(enc)) special icm(("key", "msg", "local_key"), enc, dec, - (ck, k, me, md, u), ("large")). - -equiv(icm_partial(enc)) special icm_partial(("key", "msg", "local_key"), - enc, dec, (ck, k, me, md, u), ("large")) [manual]. - -(* The difference of probability is the probability of collision between two -random numbers in blocksize among the N+N2 chosen random numbers. *) - - param qE, qD [noninteractive]. - -let enc_dec_oracle(ck: cipherkey) = - (foreach iE <= qE do Oenc(x:blocksize, ke:key) := return(enc(ck,x,ke))) - | (foreach iD <= qD do Odec(m:blocksize, kd:key) := return(dec(ck,m,kd))). - -} - -(* random_split_N defines functions to split a random value into N values. - - input_t: type of the input value - part%_t: types of the output parts - tuple_t: type of a tuple of the output parts - tuple(part1_t, ..., partN_t): tuple_t builds a tuple from N parts. - split(input_t): tuple_t splits the input into N parts and returns a tuple of these parts - Usage: let tuple(x1, ..., xN) = split(y) in ... - - input_t, part%_t, and tuple_t must be defined before. - tuple and split are defined by this macro. *) - -def random_split_1(input_t, part1_t, tuple_t, tuple, split) { - - fun tuple(part1_t): tuple_t [data]. - - fun get1(input_t): part1_t. - - letfun split(r: input_t) = tuple(get1(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r))) - <=(0)=> - part1 <-R part1_t; - (O1() := return(part1)). - -} - -def random_split_2(input_t, part1_t, part2_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; - (O1() := return(part1) | O2() := return(part2)). - -} - -def random_split_3(input_t, part1_t, part2_t, part3_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3)). - -} - -def random_split_4(input_t, part1_t, part2_t, part3_t, part4_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4)). - -} - -def random_split_5(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - fun get5(input_t): part5_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5)). - -} - -def random_split_6(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - fun get5(input_t): part5_t. - fun get6(input_t): part6_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6)). - -} - -def random_split_7(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - fun get5(input_t): part5_t. - fun get6(input_t): part6_t. - fun get7(input_t): part7_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7)). - -} - -def random_split_8(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - fun get5(input_t): part5_t. - fun get6(input_t): part6_t. - fun get7(input_t): part7_t. - fun get8(input_t): part8_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r), get8(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r)) | O8() := return(get8(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; part8 <-R part8_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7) | O8() := return(part8)). - -} - -def random_split_9(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - fun get5(input_t): part5_t. - fun get6(input_t): part6_t. - fun get7(input_t): part7_t. - fun get8(input_t): part8_t. - fun get9(input_t): part9_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r), get8(r), get9(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r)) | O8() := return(get8(r)) | O9() := return(get9(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; part8 <-R part8_t; part9 <-R part9_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7) | O8() := return(part8) | O9() := return(part9)). - -} - -def random_split_10(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t, part10_t, tuple_t, tuple, split) { - - fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t, part10_t): tuple_t [data]. - - fun get1(input_t): part1_t. - fun get2(input_t): part2_t. - fun get3(input_t): part3_t. - fun get4(input_t): part4_t. - fun get5(input_t): part5_t. - fun get6(input_t): part6_t. - fun get7(input_t): part7_t. - fun get8(input_t): part8_t. - fun get9(input_t): part9_t. - fun get10(input_t): part10_t. - - letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r), get8(r), get9(r), get10(r)). - - equiv(splitter(split)) - r <-R input_t; - (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r)) | O8() := return(get8(r)) | O9() := return(get9(r)) | O10() := return(get10(r))) - <=(0)=> - part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; part8 <-R part8_t; part9 <-R part9_t; part10 <-R part10_t; - (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7) | O8() := return(part8) | O9() := return(part9) | O10() := return(part10)). - -} - +(******************************* Hash functions (ROM) ****************************) + +(* Hash function in the random oracle model + key: type of the key of the hash function, which models the choice of the hash function, must be "bounded", typically "fixed" + input%: type of the %-th input of the hash function + output: type of the output of the hash function, must be "bounded" or "nonuniform" (typically "fixed"). + + f: the hash function. + WARNING: f is a keyed hash function. + The key must be generated once and for all at the beginning of the game + and the hash oracle must be made available to the adversary, + by including the process f_oracle(k) where k is the key. + qH is the number of calls to f_oracle. + + The types key, input%, and output must be declared before + this macro. The function f, the process f_oracle, and + the parameter qH are defined by this macro. They must not + be declared elsewhere, and they can be used only after expanding the + macro. + + *) + +def ROM_hash_1(key, input1, output, f, f_oracle, qH) { + +fun f(key, input1):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1) := + return(f(k, x1)). + +} + +def ROM_hash_2(key, input1, input2, output, f, f_oracle, qH) { + +fun f(key, input1, input2):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2) := + return(f(k, x1, x2)). + +} + +def ROM_hash_3(key, input1, input2, input3, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3) := + return(f(k, x1, x2, x3)). + +} + +def ROM_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4) := + return(f(k, x1, x2, x3, x4)). + +} + +def ROM_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := + return(f(k, x1, x2, x3, x4, x5)). + +} + +def ROM_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := + return(f(k, x1, x2, x3, x4, x5, x6)). + +} + +def ROM_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := + return(f(k, x1, x2, x3, x4, x5, x6, x7)). + +} + +def ROM_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). + +} + +def ROM_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). + +} + +def ROM_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u)). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u)) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). + +} + +def ROM_hash(key, input, output, f, f_oracle, qH) { +expand ROM_hash_1(key, input, output, f, f_oracle, qH). +} + +(* ROM with large output. + The only difference with ROM is that we eliminate collisions on the output. + The interface is the same as for ROMs. *) + +def ROM_hash_large_1(key, input1, output, f, f_oracle, qH) { + +fun f(key, input1):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1) := + return(f(k, x1)). + +} + +def ROM_hash_large_2(key, input1, input2, output, f, f_oracle, qH) { + +fun f(key, input1, input2):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2) := + return(f(k, x1, x2)). + +} + +def ROM_hash_large_3(key, input1, input2, input3, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3) := + return(f(k, x1, x2, x3)). + +} + +def ROM_hash_large_4(key, input1, input2, input3, input4, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4) := + return(f(k, x1, x2, x3, x4)). + +} + +def ROM_hash_large_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := + return(f(k, x1, x2, x3, x4, x5)). + +} + +def ROM_hash_large_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := + return(f(k, x1, x2, x3, x4, x5, x6)). + +} + +def ROM_hash_large_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := + return(f(k, x1, x2, x3, x4, x5, x6, x7)). + +} + +def ROM_hash_large_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). + +} + +def ROM_hash_large_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). + +} + +def ROM_hash_large_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +equiv(rom(f)) special rom("key_first", f, (hk, r, x, y, z, u), ("large")). + +equiv(rom_partial(f)) special rom_partial("key_first", f, (hk, r, x, y, z, u), ("large")) [manual]. + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). + +} + +def ROM_hash_large(key, input, output, f, f_oracle, qH) { +expand ROM_hash_large_1(key, input, output, f, f_oracle, qH). +} + +(* Collision resistant hash function + key: type of the key of the hash function, must be "bounded" or "nonuniform", typically "fixed" + input%: type of the %-th input of the hash function + output: type of the output of the hash function + + f: the hash function. + Phash: probability of breaking collision resistance. + WARNING: A collision resistant hash function is a keyed hash function. + The key must be generated once and for all at the beginning of the game, + and immediately made available to the adversary, for instance by + including the process f_oracle(k), where k is the key. + + The types key, input%, output, and the probability Phash + must be declared before this macro. The function f and the + process f_oracle are defined by this macro. They must not be + declared elsewhere, and they can be used only after expanding the + macro. + + *) + +def CollisionResistant_hash_1(key, input1, output, f, f_oracle, Phash) { + +fun f(key, input1):output. + +collision k <-R key; forall x1:input1, y1:input1; + return(f(k, x1) = f(k, y1)) <=(Phash(time))=> return((x1 = y1)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_2(key, input1, input2, output, f, f_oracle, Phash) { + +fun f(key, input1, input2):output. + +collision k <-R key; forall x1:input1, x2:input2, y1:input1, y2:input2; + return(f(k, x1, x2) = f(k, y1, y2)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, y1:input1, y2:input2, y3:input3; + return(f(k, x1, x2, x3) = f(k, y1, y2, y3)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, y1:input1, y2:input2, y3:input3, y4:input4; + return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5; + return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6; + return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7; + return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8; + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9; + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +collision k <-R key; forall x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10; + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def CollisionResistant_hash(key, input, output, f, f_oracle, Phash) { +expand CollisionResistant_hash_1(key, input, output, f, f_oracle, Phash). +} + +(* Hidden-key collision resistant hash function + The interface is similar to collision-resistant hash functions, except for the addition of qH. + WARNING: A hidden-key collision resistant hash function is a keyed hash function. + The key must be generated once and for all at the beginning of the game, + and the hash oracle must be made available to the adversary, + by including the process f_oracle(k) where k is the key. + qH is the number of calls to f_oracle. + Phash(t,N): probability of breaking collision resistance + for an adversary that runs in time at most t + and calls the hash oracle at most N times. *) + +def HiddenKeyCollisionResistant_hash_1(key, input1, output, f, f_oracle, qH, Phash) { + +fun f(key, input1):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1) := return(f(k, x1)) | + foreach i <= Ncoll do Ocoll(x1:input1, y1:input1) [useful_change] := return(f(k, x1) = f(k, y1))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1) := return(f(k, x1)) | + foreach i <= Ncoll do Ocoll(x1:input1, y1:input1) := return((x1 = y1))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1) := + return(f(k, x1)). + +} + +def HiddenKeyCollisionResistant_hash_2(key, input1, input2, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2) := return(f(k, x1, x2)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, y1:input1, y2:input2) [useful_change] := return(f(k, x1, x2) = f(k, y1, y2))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2) := return(f(k, x1, x2)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, y1:input1, y2:input2) := return((x1 = y1) && (x2 = y2))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2) := + return(f(k, x1, x2)). + +} + +def HiddenKeyCollisionResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3) := return(f(k, x1, x2, x3)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, y1:input1, y2:input2, y3:input3) [useful_change] := return(f(k, x1, x2, x3) = f(k, y1, y2, y3))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3) := return(f(k, x1, x2, x3)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, y1:input1, y2:input2, y3:input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3) := + return(f(k, x1, x2, x3)). + +} + +def HiddenKeyCollisionResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4) := return(f(k, x1, x2, x3, x4)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, y1:input1, y2:input2, y3:input3, y4:input4) [useful_change] := return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4) := return(f(k, x1, x2, x3, x4)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, y1:input1, y2:input2, y3:input3, y4:input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4) := + return(f(k, x1, x2, x3, x4)). + +} + +def HiddenKeyCollisionResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5) := return(f(k, x1, x2, x3, x4, x5)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) [useful_change] := return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5) := return(f(k, x1, x2, x3, x4, x5)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := + return(f(k, x1, x2, x3, x4, x5)). + +} + +def HiddenKeyCollisionResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6) := return(f(k, x1, x2, x3, x4, x5, x6)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6) := return(f(k, x1, x2, x3, x4, x5, x6)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := + return(f(k, x1, x2, x3, x4, x5, x6)). + +} + +def HiddenKeyCollisionResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7) := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7) := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := + return(f(k, x1, x2, x3, x4, x5, x6, x7)). + +} + +def HiddenKeyCollisionResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). + +} + +def HiddenKeyCollisionResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). + +} + +def HiddenKeyCollisionResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +param N, Ncoll. + +equiv(collision_res(f)) + k <-R key; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10))) + <=(Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10) := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Ncoll do Ocoll(x1:input1, x2:input2, x3:input3, x4:input4, x5:input5, x6:input6, x7:input7, x8:input8, x9:input9, x10:input10, y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). + +} + +def HiddenKeyCollisionResistant_hash(key, input, output, f, f_oracle, qH, Phash) { +expand HiddenKeyCollisionResistant_hash_1(key, input, output, f, f_oracle, qH, Phash). + } + +(* Second-preimage-resistant hash function + The interface is the same as for collision-resistant hash functions. + *) + +def SecondPreimageResistant_hash_1(key, input1, output, f, f_oracle, Phash) { + +fun f(key, input1):output. + +collision k <-R key; x1 <-R input1; forall y1:input1; + return(f(k, x1) = f(k, y1)) <=(Phash(time))=> return((x1 = y1)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, Phash) { + +fun f(key, input1, input2):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; forall y1:input1, y2:input2; + return(f(k, x1, x2) = f(k, y1, y2)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; forall y1:input1, y2:input2, y3:input3; + return(f(k, x1, x2, x3) = f(k, y1, y2, y3)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; forall y1:input1, y2:input2, y3:input3, y4:input4; + return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5; + return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6; + return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7; + return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8; + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9; + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +collision k <-R key; x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10; + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def SecondPreimageResistant_hash(key, input, output, f, f_oracle, Phash) { +expand SecondPreimageResistant_hash_1(key, input, output, f, f_oracle, Phash). +} + +(* Hidden key second-preimage-resistant hash function + The interface is the same as for hidden-key collision-resistant hash functions. + *) + +def HiddenKeySecondPreimageResistant_hash_1(key, input1, output, f, f_oracle, qH, Phash) { + +fun f(key, input1):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1) := return(f(k, z1)) | + foreach i <= Nx do x1 <-R input1; + (Ox1() := return(x1) | + foreach i <= Ncoll do Ocoll(y1:input1) [useful_change] := return(f(k, x1) = f(k, y1)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1) := return(f(k, z1)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; + (Ox1() := return(x1) | + foreach i <= Ncoll do Ocoll(y1:input1) := return((x1 = y1)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1) := + return(f(k, x1)). + +} + +def HiddenKeySecondPreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; + (Ox1() := return(x1) | Ox2() := return(x2) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2) [useful_change] := return(f(k, x1, x2) = f(k, y1, y2)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2) := return((x1 = y1) && (x2 = y2)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2) := + return(f(k, x1, x2)). + +} + +def HiddenKeySecondPreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3) [useful_change] := return(f(k, x1, x2, x3) = f(k, y1, y2, y3)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3) := + return(f(k, x1, x2, x3)). + +} + +def HiddenKeySecondPreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4) [useful_change] := return(f(k, x1, x2, x3, x4) = f(k, y1, y2, y3, y4)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4) := + return(f(k, x1, x2, x3, x4)). + +} + +def HiddenKeySecondPreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) [useful_change] := return(f(k, x1, x2, x3, x4, x5) = f(k, y1, y2, y3, y4, y5)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := + return(f(k, x1, x2, x3, x4, x5)). + +} + +def HiddenKeySecondPreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6) = f(k, y1, y2, y3, y4, y5, y6)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := + return(f(k, x1, x2, x3, x4, x5, x6)). + +} + +def HiddenKeySecondPreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7) = f(k, y1, y2, y3, y4, y5, y6, y7)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := + return(f(k, x1, x2, x3, x4, x5, x6, x7)). + +} + +def HiddenKeySecondPreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8) = f(k, y1, y2, y3, y4, y5, y6, y7, y8)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; x8 <-R input8 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). + +} + +def HiddenKeySecondPreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; x8 <-R input8 [unchanged]; x9 <-R input9 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). + +} + +def HiddenKeySecondPreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +param N, Nx, Ncoll. + +equiv(second_pre_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) [useful_change] := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(k, y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)))) + <=(Nx * Phash(time, N))=> [computational] + k <-R key [unchanged]; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | + foreach i <= Nx do x1 <-R input1 [unchanged]; x2 <-R input2 [unchanged]; x3 <-R input3 [unchanged]; x4 <-R input4 [unchanged]; x5 <-R input5 [unchanged]; x6 <-R input6 [unchanged]; x7 <-R input7 [unchanged]; x8 <-R input8 [unchanged]; x9 <-R input9 [unchanged]; x10 <-R input10 [unchanged]; + (Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10) | + foreach i <= Ncoll do Ocoll(y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). + +} + +def HiddenKeySecondPreimageResistant_hash(key, input, output, f, f_oracle, qH, Phash) { +expand HiddenKeySecondPreimageResistant_hash_1(key, input, output, f, f_oracle, qH, Phash). + } + +(* Fixed-hash second-preimage-resistant hash function + input%: type of the %-th input of the hash function + output: type of the output of the hash function + + f(input...):output : the hash function. (It is not keyed.) + Phash: probability of breaking second-preimage resistance. + + The types input%, output, and the probability Phash + must be declared before this macro. The function f + is defined by this macro. It must not be + declared elsewhere, and it can be used only after expanding the + macro. + *) + +def FixedSecondPreimageResistant_hash_1(input1, output, f, Phash) { + +fun f(input1):output. + +collision x1 <-R input1; forall y1:input1; + return(f(x1) = f(y1)) <=(Phash(time))=> return((x1 = y1)). + +} + +def FixedSecondPreimageResistant_hash_2(input1, input2, output, f, Phash) { + +fun f(input1, input2):output. + +collision x1 <-R input1; x2 <-R input2; forall y1:input1, y2:input2; + return(f(x1, x2) = f(y1, y2)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2)). + +} + +def FixedSecondPreimageResistant_hash_3(input1, input2, input3, output, f, Phash) { + +fun f(input1, input2, input3):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; forall y1:input1, y2:input2, y3:input3; + return(f(x1, x2, x3) = f(y1, y2, y3)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3)). + +} + +def FixedSecondPreimageResistant_hash_4(input1, input2, input3, input4, output, f, Phash) { + +fun f(input1, input2, input3, input4):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; forall y1:input1, y2:input2, y3:input3, y4:input4; + return(f(x1, x2, x3, x4) = f(y1, y2, y3, y4)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)). + +} + +def FixedSecondPreimageResistant_hash_5(input1, input2, input3, input4, input5, output, f, Phash) { + +fun f(input1, input2, input3, input4, input5):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5; + return(f(x1, x2, x3, x4, x5) = f(y1, y2, y3, y4, y5)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)). + +} + +def FixedSecondPreimageResistant_hash_6(input1, input2, input3, input4, input5, input6, output, f, Phash) { + +fun f(input1, input2, input3, input4, input5, input6):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6; + return(f(x1, x2, x3, x4, x5, x6) = f(y1, y2, y3, y4, y5, y6)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)). + +} + +def FixedSecondPreimageResistant_hash_7(input1, input2, input3, input4, input5, input6, input7, output, f, Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7; + return(f(x1, x2, x3, x4, x5, x6, x7) = f(y1, y2, y3, y4, y5, y6, y7)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)). + +} + +def FixedSecondPreimageResistant_hash_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7, input8):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8; + return(f(x1, x2, x3, x4, x5, x6, x7, x8) = f(y1, y2, y3, y4, y5, y6, y7, y8)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)). + +} + +def FixedSecondPreimageResistant_hash_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9; + return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9) = f(y1, y2, y3, y4, y5, y6, y7, y8, y9)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)). + +} + +def FixedSecondPreimageResistant_hash_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +collision x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; forall y1:input1, y2:input2, y3:input3, y4:input4, y5:input5, y6:input6, y7:input7, y8:input8, y9:input9, y10:input10; + return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10) = f(y1, y2, y3, y4, y5, y6, y7, y8, y9, y10)) <=(Phash(time))=> return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)). + +} + +def FixedSecondPreimageResistant_hash(input, output, f, Phash) { +expand FixedSecondPreimageResistant_hash_1(input, output, f, Phash). +} + +(* preimage-resistant hash function + The interface is the same as for collision-resistant hash functions. + *) + +def PreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, Phash) { + +fun f(key, input1):output. + +fun f'(key, input1):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; + (Oim() := return(f(k, x1)) | + foreach i <= Neq do Oeq(y1: input1) := return((x1 = y1)) | + Ox1() := return(x1))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; + (Oim() := return(f'(k, x1)) | + foreach i <= Neq do Oeq(y1: input1) := + let r = (x1 = y1) in + find suchthat defined(comp1) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_1(key, input1, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2):output. + +fun f'(key, input1, input2):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; + (Oim() := return(f(k, x1, x2)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2) := return((x1 = y1) && (x2 = y2)) | + Ox1() := return(x1) | Ox2() := return(x2))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; + (Oim() := return(f'(k, x1, x2)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2) := + let r = (x1 = y1) && (x2 = y2) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3):output. + +fun f'(key, input1, input2, input3):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; + (Oim() := return(f(k, x1, x2, x3)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; + (Oim() := return(f'(k, x1, x2, x3)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4):output. + +fun f'(key, input1, input2, input3, input4):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; + (Oim() := return(f(k, x1, x2, x3, x4)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; + (Oim() := return(f'(k, x1, x2, x3, x4)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5):output. + +fun f'(key, input1, input2, input3, input4, input5):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; + (Oim() := return(f(k, x1, x2, x3, x4, x5)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; + (Oim() := return(f'(k, x1, x2, x3, x4, x5)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +fun f'(key, input1, input2, input3, input4, input5, input6):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +param Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10))) + <=(Nx * Phash(time))=> + k <-R key; + (Ok() := return(k) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) orfind suchthat defined(comp10) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9) | Ox10() := let comp10: bool = true in return(x10))). + +let f_oracle(k: key) = + OH() := return(k). + +} + +def PreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, Phash) { + expand PreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, Phash). +} + +def PreimageResistant_hash(key, input, output, f, f_oracle, Phash) { +expand PreimageResistant_hash_1(key, input, output, f, f_oracle, Phash). +} + +def PreimageResistant_hash_all_args(key, input, output, f, f', f_oracle, Phash) { +expand PreimageResistant_hash_all_args_1(key, input, output, f, f', f_oracle, Phash). +} + +(* Hidden key preimage-resistant hash function + The interface is the same as for hidden-key collision-resistant hash functions. + *) + +def HiddenKeyPreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1):output. + +fun f'(key, input1):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1) := return(f(k, z1)) | + foreach i <= Nx do x1 <-R input1; + (Oim() := return(f(k, x1)) | + foreach i <= Neq do Oeq(y1: input1) := return((x1 = y1)) | + Ox1() := return(x1))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1) := return(f(k, z1)) | + foreach i <= Nx do x1 <-R input1; + (Oim() := return(f'(k, x1)) | + foreach i <= Neq do Oeq(y1: input1) := + let r = (x1 = y1) in + find suchthat defined(comp1) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1) := + return(f(k, x1)). + +} + +def HiddenKeyPreimageResistant_hash_1(key, input1, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_1(key, input1, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2):output. + +fun f'(key, input1, input2):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; + (Oim() := return(f(k, x1, x2)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2) := return((x1 = y1) && (x2 = y2)) | + Ox1() := return(x1) | Ox2() := return(x2))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2) := return(f(k, z1, z2)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; + (Oim() := return(f'(k, x1, x2)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2) := + let r = (x1 = y1) && (x2 = y2) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2) := + return(f(k, x1, x2)). + +} + +def HiddenKeyPreimageResistant_hash_2(key, input1, input2, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_2(key, input1, input2, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3):output. + +fun f'(key, input1, input2, input3):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; + (Oim() := return(f(k, x1, x2, x3)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3) := return(f(k, z1, z2, z3)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; + (Oim() := return(f'(k, x1, x2, x3)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3) := + return(f(k, x1, x2, x3)). + +} + +def HiddenKeyPreimageResistant_hash_3(key, input1, input2, input3, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_3(key, input1, input2, input3, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4):output. + +fun f'(key, input1, input2, input3, input4):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; + (Oim() := return(f(k, x1, x2, x3, x4)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4) := return(f(k, z1, z2, z3, z4)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; + (Oim() := return(f'(k, x1, x2, x3, x4)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4) := + return(f(k, x1, x2, x3, x4)). + +} + +def HiddenKeyPreimageResistant_hash_4(key, input1, input2, input3, input4, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_4(key, input1, input2, input3, input4, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5):output. + +fun f'(key, input1, input2, input3, input4, input5):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; + (Oim() := return(f(k, x1, x2, x3, x4, x5)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5) := return(f(k, z1, z2, z3, z4, z5)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; + (Oim() := return(f'(k, x1, x2, x3, x4, x5)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5) := + return(f(k, x1, x2, x3, x4, x5)). + +} + +def HiddenKeyPreimageResistant_hash_5(key, input1, input2, input3, input4, input5, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_5(key, input1, input2, input3, input4, input5, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +fun f'(key, input1, input2, input3, input4, input5, input6):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6) := return(f(k, z1, z2, z3, z4, z5, z6)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6) := + return(f(k, x1, x2, x3, x4, x5, x6)). + +} + +def HiddenKeyPreimageResistant_hash_6(key, input1, input2, input3, input4, input5, input6, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_6(key, input1, input2, input3, input4, input5, input6, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7) := return(f(k, z1, z2, z3, z4, z5, z6, z7)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7) := + return(f(k, x1, x2, x3, x4, x5, x6, x7)). + +} + +def HiddenKeyPreimageResistant_hash_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8)). + +} + +def HiddenKeyPreimageResistant_hash_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9)). + +} + +def HiddenKeyPreimageResistant_hash_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, qH, Phash) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +fun f'(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +param N, Nx, Neq. + +equiv(preimage_res(f)) + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; + (Oim() := return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10))) + <=(Nx * Phash(time, N))=> + k <-R key; + (foreach i <= N do O(z1:input1, z2:input2, z3:input3, z4:input4, z5:input5, z6:input6, z7:input7, z8:input8, z9:input9, z10:input10) := return(f(k, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10)) | + foreach i <= Nx do x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; + (Oim() := return(f'(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) orfind suchthat defined(comp10) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9) | Ox10() := let comp10: bool = true in return(x10))). + + +param qH [noninteractive]. + +let f_oracle(k: key) = + foreach iH <= qH do + OH(x1: input1, x2: input2, x3: input3, x4: input4, x5: input5, x6: input6, x7: input7, x8: input8, x9: input9, x10: input10) := + return(f(k, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)). + +} + +def HiddenKeyPreimageResistant_hash_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f_oracle, qH, Phash) { + expand HiddenKeyPreimageResistant_hash_all_args_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash(key, input, output, f, f_oracle, qH, Phash) { +expand HiddenKeyPreimageResistant_hash_1(key, input, output, f, f_oracle, qH, Phash). +} + +def HiddenKeyPreimageResistant_hash_all_args(key, input, output, f, f', f_oracle, qH, Phash) { +expand HiddenKeyPreimageResistant_hash_all_args_1(key, input, output, f, f', f_oracle, qH, Phash). +} + +(* Fixed-hash preimage-resistant hash function + The interface is the same as for fixed-hash second-preimage-resistant hash functions. + *) + +def FixedPreimageResistant_hash_all_args_1(input1, output, f, f', Phash) { + +fun f(input1):output. + +fun f'(input1):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; (Oim() := return(f(x1)) | + foreach i <= Neq do Oeq(y1: input1) := return((x1 = y1)) | + Ox1() := return(x1)) + <=(Phash(time))=> + x1 <-R input1; (Oim() := return(f'(x1)) | + foreach i <= Neq do Oeq(y1: input1) := + let r = (x1 = y1) in + find suchthat defined(comp1) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1)). + +} + +def FixedPreimageResistant_hash_1(input1, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_1(input1, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_2(input1, input2, output, f, f', Phash) { + +fun f(input1, input2):output. + +fun f'(input1, input2):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; (Oim() := return(f(x1, x2)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2) := return((x1 = y1) && (x2 = y2)) | + Ox1() := return(x1) | Ox2() := return(x2)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; (Oim() := return(f'(x1, x2)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2) := + let r = (x1 = y1) && (x2 = y2) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2)). + +} + +def FixedPreimageResistant_hash_2(input1, input2, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_2(input1, input2, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_3(input1, input2, input3, output, f, f', Phash) { + +fun f(input1, input2, input3):output. + +fun f'(input1, input2, input3):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; (Oim() := return(f(x1, x2, x3)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := return((x1 = y1) && (x2 = y2) && (x3 = y3)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; (Oim() := return(f'(x1, x2, x3)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3)). + +} + +def FixedPreimageResistant_hash_3(input1, input2, input3, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_3(input1, input2, input3, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_4(input1, input2, input3, input4, output, f, f', Phash) { + +fun f(input1, input2, input3, input4):output. + +fun f'(input1, input2, input3, input4):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; (Oim() := return(f(x1, x2, x3, x4)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; (Oim() := return(f'(x1, x2, x3, x4)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4)). + +} + +def FixedPreimageResistant_hash_4(input1, input2, input3, input4, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_4(input1, input2, input3, input4, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_5(input1, input2, input3, input4, input5, output, f, f', Phash) { + +fun f(input1, input2, input3, input4, input5):output. + +fun f'(input1, input2, input3, input4, input5):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; (Oim() := return(f(x1, x2, x3, x4, x5)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; (Oim() := return(f'(x1, x2, x3, x4, x5)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5)). + +} + +def FixedPreimageResistant_hash_5(input1, input2, input3, input4, input5, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_5(input1, input2, input3, input4, input5, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_6(input1, input2, input3, input4, input5, input6, output, f, f', Phash) { + +fun f(input1, input2, input3, input4, input5, input6):output. + +fun f'(input1, input2, input3, input4, input5, input6):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; (Oim() := return(f(x1, x2, x3, x4, x5, x6)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; (Oim() := return(f'(x1, x2, x3, x4, x5, x6)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6)). + +} + +def FixedPreimageResistant_hash_6(input1, input2, input3, input4, input5, input6, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_6(input1, input2, input3, input4, input5, input6, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_7(input1, input2, input3, input4, input5, input6, input7, output, f, f', Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7):output. + +fun f'(input1, input2, input3, input4, input5, input6, input7):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7)). + +} + +def FixedPreimageResistant_hash_7(input1, input2, input3, input4, input5, input6, input7, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_7(input1, input2, input3, input4, input5, input6, input7, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7, input8):output. + +fun f'(input1, input2, input3, input4, input5, input6, input7, input8):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7, x8)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8)). + +} + +def FixedPreimageResistant_hash_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_8(input1, input2, input3, input4, input5, input6, input7, input8, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +fun f'(input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7, x8, x9)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9)). + +} + +def FixedPreimageResistant_hash_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_9(input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, f', Phash). +} + +def FixedPreimageResistant_hash_all_args_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', Phash) { + +fun f(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +fun f'(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +param Neq. + +equiv(preimage_res(f)) + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; (Oim() := return(f(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := return((x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10)) | + Ox1() := return(x1) | Ox2() := return(x2) | Ox3() := return(x3) | Ox4() := return(x4) | Ox5() := return(x5) | Ox6() := return(x6) | Ox7() := return(x7) | Ox8() := return(x8) | Ox9() := return(x9) | Ox10() := return(x10)) + <=(Phash(time))=> + x1 <-R input1; x2 <-R input2; x3 <-R input3; x4 <-R input4; x5 <-R input5; x6 <-R input6; x7 <-R input7; x8 <-R input8; x9 <-R input9; x10 <-R input10; (Oim() := return(f'(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10)) | + foreach i <= Neq do Oeq(y1: input1, y2: input2, y3: input3, y4: input4, y5: input5, y6: input6, y7: input7, y8: input8, y9: input9, y10: input10) := + let r = (x1 = y1) && (x2 = y2) && (x3 = y3) && (x4 = y4) && (x5 = y5) && (x6 = y6) && (x7 = y7) && (x8 = y8) && (x9 = y9) && (x10 = y10) in + find suchthat defined(comp1) then return(r) orfind suchthat defined(comp2) then return(r) orfind suchthat defined(comp3) then return(r) orfind suchthat defined(comp4) then return(r) orfind suchthat defined(comp5) then return(r) orfind suchthat defined(comp6) then return(r) orfind suchthat defined(comp7) then return(r) orfind suchthat defined(comp8) then return(r) orfind suchthat defined(comp9) then return(r) orfind suchthat defined(comp10) then return(r) else return(false) | + Ox1() := let comp1: bool = true in return(x1) | Ox2() := let comp2: bool = true in return(x2) | Ox3() := let comp3: bool = true in return(x3) | Ox4() := let comp4: bool = true in return(x4) | Ox5() := let comp5: bool = true in return(x5) | Ox6() := let comp6: bool = true in return(x6) | Ox7() := let comp7: bool = true in return(x7) | Ox8() := let comp8: bool = true in return(x8) | Ox9() := let comp9: bool = true in return(x9) | Ox10() := let comp10: bool = true in return(x10)). + +} + +def FixedPreimageResistant_hash_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Phash) { + expand FixedPreimageResistant_hash_all_args_10(input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, f', Phash). +} + +def FixedPreimageResistant_hash(input, output, f, Phash) { +expand FixedPreimageResistant_hash_1(input, output, f, Phash). +} + +def FixedPreimageResistant_hash_all_args(input, output, f, f', Phash) { +expand FixedPreimageResistant_hash_all_args_1(input, output, f, f', Phash). +} + +(* Pseudo random function (PRF) + key: type of keys, must be "bounded" (to be able to generate random numbers from it, and to talk about the runtime of f without mentioned the length of the key), typically "fixed" and "large". + input%: type of the %-th input of the PRF. + output: type of the output of the PRF, must be "bounded" or "nonuniform", typically "fixed". + + f: PRF function + + Pprf(t, N, l): probability of breaking the PRF property + in time t, for one key, N queries to the PRF of length at most l. + + The types key, input, output and the probability Pprf must + be declared before this macro is expanded. The function f + is declared by this macro. It must not be declared elsewhere, + and it can be used only after expanding the macro. + + *) + +def PRF_1(key, input1, output, f, Pprf) { + +fun f(key, input1):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_2(key, input1, input2, output, f, Pprf) { + +fun f(key, input1, input2):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_3(key, input1, input2, input3, output, f, Pprf) { + +fun f(key, input1, input2, input3):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_4(key, input1, input2, input3, input4, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_5(key, input1, input2, input3, input4, input5, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_6(key, input1, input2, input3, input4, input5, input6, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u)). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u)) [manual]. + + + +} + +def PRF(key, input, output, f, Pprf) { +expand PRF_1(key, input, output, f, Pprf). +} + +(* Pseudo random function (PRF) with large output. + The only difference with PRF is that we eliminate collisions on the output. + The interface is the same as for PRFs. *) + +def PRF_large_1(key, input1, output, f, Pprf) { + +fun f(key, input1):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_2(key, input1, input2, output, f, Pprf) { + +fun f(key, input1, input2):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_3(key, input1, input2, input3, output, f, Pprf) { + +fun f(key, input1, input2, input3):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_4(key, input1, input2, input3, input4, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_5(key, input1, input2, input3, input4, input5, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_6(key, input1, input2, input3, input4, input5, input6, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_7(key, input1, input2, input3, input4, input5, input6, input7, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_8(key, input1, input2, input3, input4, input5, input6, input7, input8, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_9(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large_10(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10, output, f, Pprf) { + +fun f(key, input1, input2, input3, input4, input5, input6, input7, input8, input9, input10):output. + +equiv(prf(f)) special prf("key_first", f, Pprf, (k, r, x, y, z, u), ("large")). + +equiv(prf_partial(f)) special prf_partial("key_first", f, Pprf, (k, r, x, y, z, u), ("large")) [manual]. + + + +} + +def PRF_large(key, input, output, f, Pprf) { +expand PRF_large_1(key, input, output, f, Pprf). +} + +(* Ideal Cipher Model + cipherkey: type of keys that correspond to the choice of the scheme, must be "bounded" or "nonuniform", typically "fixed". + key: type of keys (typically "large") + blocksize: type of the input and output of the cipher, must be "bounded" or "nonuniform" (to be able to generate random numbers from it; typically "fixed") and "large". + (The modeling of the ideal cipher model is not perfect in that, in + order to encrypt a new message, one chooses a fresh random number, + not necessarily different from previously generated random + numbers. Then CryptoVerif needs to eliminate collisions between + those random numbers, so blocksize must really be "large".) + + enc: encryption function + dec: decryption function + WARNING: the encryption and decryption functions take 2 keys as + input: the key of type cipherkey that corresponds to the choice of + the scheme, and the normal encryption/decryption key. The cipherkey + must be chosen once and for all at the beginning of the game and + the encryption and decryption oracles must be made available to the + adversary, by including a process enc_dec_oracle(ck) where + ck is the cipherkey. + qE is the number of calls of the encryption oracle + qD is the number of calls of the decryption oracle + + The types cipherkey, key, blocksize must be declared before this + macro is expanded. The functions enc, dec, the process + enc_dec_oracle, and the parameters qE, qD are declared by this + macro. They must not be declared elsewhere, and they can be used + only after expanding the macro. + + *) + +def ICM_cipher(cipherkey, key, blocksize, enc, dec, enc_dec_oracle, qE, qD) { + +fun enc(cipherkey, blocksize, key): blocksize. +fun dec(cipherkey, blocksize, key): blocksize. + +equation forall ck:cipherkey, m:blocksize, k:key; + dec(ck, enc(ck, m, k), k) = m. +equation forall ck:cipherkey, m:blocksize, k:key; + enc(ck, dec(ck, m, k), k) = m. +equation forall ck:cipherkey, m1:blocksize, m2:blocksize, k:key; + (dec(ck, m1, k) = dec(ck, m2, k)) = (m1 = m2). +equation forall ck:cipherkey, m1:blocksize, m2:blocksize, k:key; + (enc(ck, m1, k) = enc(ck, m2, k)) = (m1 = m2). + +equiv(icm(enc)) special icm(("key", "msg", "local_key"), enc, dec, + (ck, k, me, md, u), ("large")). + +equiv(icm_partial(enc)) special icm_partial(("key", "msg", "local_key"), + enc, dec, (ck, k, me, md, u), ("large")) [manual]. + +(* The difference of probability is the probability of collision between two +random numbers in blocksize among the N+N2 chosen random numbers. *) + + param qE, qD [noninteractive]. + +let enc_dec_oracle(ck: cipherkey) = + (foreach iE <= qE do Oenc(x:blocksize, ke:key) := return(enc(ck,x,ke))) + | (foreach iD <= qD do Odec(m:blocksize, kd:key) := return(dec(ck,m,kd))). + +} + +(* random_split_N defines functions to split a random value into N values. + + input_t: type of the input value + part%_t: types of the output parts + tuple_t: type of a tuple of the output parts + tuple(part1_t, ..., partN_t): tuple_t builds a tuple from N parts. + split(input_t): tuple_t splits the input into N parts and returns a tuple of these parts + Usage: let tuple(x1, ..., xN) = split(y) in ... + + input_t, part%_t, and tuple_t must be defined before. + tuple and split are defined by this macro. *) + +def random_split_1(input_t, part1_t, tuple_t, tuple, split) { + + fun tuple(part1_t): tuple_t [data]. + + fun get1(input_t): part1_t. + + letfun split(r: input_t) = tuple(get1(r)). + + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r))) + <=(0)=> + part1 <-R part1_t; + (O1() := return(part1)). + +} + +def random_split_2(input_t, part1_t, part2_t, tuple_t, tuple, split) { + + fun tuple(part1_t, part2_t): tuple_t [data]. + + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + + letfun split(r: input_t) = tuple(get1(r), get2(r)). + + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; + (O1() := return(part1) | O2() := return(part2)). + +} + +def random_split_3(input_t, part1_t, part2_t, part3_t, tuple_t, tuple, split) { + + fun tuple(part1_t, part2_t, part3_t): tuple_t [data]. + + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r)). + + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3)). + +} + +def random_split_4(input_t, part1_t, part2_t, part3_t, part4_t, tuple_t, tuple, split) { + + fun tuple(part1_t, part2_t, part3_t, part4_t): tuple_t [data]. + + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r)). + + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4)). + +} + +def random_split_5(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, tuple_t, tuple, split) { + + fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t): tuple_t [data]. + + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + fun get5(input_t): part5_t. + + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r)). + + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5)). + +} + +def random_split_6(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, tuple_t, tuple, split) { + + fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t): tuple_t [data]. + + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + fun get5(input_t): part5_t. + fun get6(input_t): part6_t. + + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r)). + + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6)). + +} + +def random_split_7(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, tuple_t, tuple, split) { + + fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t): tuple_t [data]. + + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + fun get5(input_t): part5_t. + fun get6(input_t): part6_t. + fun get7(input_t): part7_t. + + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r)). + + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7)). + +} + +def random_split_8(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, tuple_t, tuple, split) { + + fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t): tuple_t [data]. + + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + fun get5(input_t): part5_t. + fun get6(input_t): part6_t. + fun get7(input_t): part7_t. + fun get8(input_t): part8_t. + + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r), get8(r)). + + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r)) | O8() := return(get8(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; part8 <-R part8_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7) | O8() := return(part8)). + +} + +def random_split_9(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t, tuple_t, tuple, split) { + + fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t): tuple_t [data]. + + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + fun get5(input_t): part5_t. + fun get6(input_t): part6_t. + fun get7(input_t): part7_t. + fun get8(input_t): part8_t. + fun get9(input_t): part9_t. + + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r), get8(r), get9(r)). + + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r)) | O8() := return(get8(r)) | O9() := return(get9(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; part8 <-R part8_t; part9 <-R part9_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7) | O8() := return(part8) | O9() := return(part9)). + +} + +def random_split_10(input_t, part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t, part10_t, tuple_t, tuple, split) { + + fun tuple(part1_t, part2_t, part3_t, part4_t, part5_t, part6_t, part7_t, part8_t, part9_t, part10_t): tuple_t [data]. + + fun get1(input_t): part1_t. + fun get2(input_t): part2_t. + fun get3(input_t): part3_t. + fun get4(input_t): part4_t. + fun get5(input_t): part5_t. + fun get6(input_t): part6_t. + fun get7(input_t): part7_t. + fun get8(input_t): part8_t. + fun get9(input_t): part9_t. + fun get10(input_t): part10_t. + + letfun split(r: input_t) = tuple(get1(r), get2(r), get3(r), get4(r), get5(r), get6(r), get7(r), get8(r), get9(r), get10(r)). + + equiv(splitter(split)) + r <-R input_t; + (O1() := return(get1(r)) | O2() := return(get2(r)) | O3() := return(get3(r)) | O4() := return(get4(r)) | O5() := return(get5(r)) | O6() := return(get6(r)) | O7() := return(get7(r)) | O8() := return(get8(r)) | O9() := return(get9(r)) | O10() := return(get10(r))) + <=(0)=> + part1 <-R part1_t; part2 <-R part2_t; part3 <-R part3_t; part4 <-R part4_t; part5 <-R part5_t; part6 <-R part6_t; part7 <-R part7_t; part8 <-R part8_t; part9 <-R part9_t; part10 <-R part10_t; + (O1() := return(part1) | O2() := return(part2) | O3() := return(part3) | O4() := return(part4) | O5() := return(part5) | O6() := return(part6) | O7() := return(part7) | O8() := return(part8) | O9() := return(part9) | O10() := return(part10)). + +} + (* The types input_t and output_t MUST be fixed. *) def truncate(input_t, output_t, truncate_f) { @@ -8125,8 +8645,8 @@ def GDH_RSR_minimal(G, Z, g, exp, mult, pGDH, pDistRerandom) { negligible probability, even in the presence of a decision DH oracle DH(A,B,C) tells whether A = g^a, C = B^a for some a. *) -param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDDH6, naDDH7, naDDH8, naDH9, - nb, nbDDH, nbDDH1, nbDDH2, nbDDH3, nbDDH4, nbDDH5, nbDDH6, nbDDH7, nbDDH8, nbDH9. +param na, naeq, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDDH6, naDDH7, naDDH8, naDH9, + nb, nbeq, nbDDH, nbDDH1, nbDDH2, nbDDH3, nbDDH4, nbDDH5, nbDDH6, nbDDH7, nbDDH8, nbDH9. (* In the code below: - oracles OA and OB give the public Diffie-Hellman keys to the adversary @@ -8136,21 +8656,28 @@ param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDDH6, naDDH7, naDDH8, using exp(g,a), since exp(g,a) is not a subterm of exp(g, mult(a,x)). - Oracles ODDHa1, ODDHa, ODDHa8, ODDHb1, ODDHb, ODDHb8 are instances of the decision DH oracle. - ODDHa1(m,m') = DH(exp(g,a), m', m) - ODDHa(m,j) = DH(exp(g,a), exp(g,b[j]), m) + ODDHa1[i](m,m') = DH_a(i, m', m) + ODDHa8[i](m,j) = DH_a(i, exp(g,a[j]), m) + ODDHb1[i](m,m') = DH_b(i, m', m) + ODDHb8[i](m,j) = DH_b(i, exp(g,b[j]), m) + where DH_a(i, m', m) = (m'^a[i] = m) + DH_b(i, m', m) = (m'^b[i] = m) + + ODDHa[i](m,j) = DH_l(i, j, m) and in this case we can apply the CDH assumption and replace the result with "false" in the right-hand side - ODDHa8(m,j) = DH(exp(g,a), exp(g,a[j]), m) - ODDHb1(m,m') = DH(exp(g,b), m', m) - ODDHb(m,j) = DH(exp(g,b), exp(g,a[j]), m) + ODDHb[i](m,j) = DH_1(j, i, m) and in this case we can apply the CDH assumption and replace the result with "false" in the right-hand side - ODDHb8(m,j) = DH(exp(g,b), exp(g,b[j]), m) *) equiv(gdh(exp)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | + (* We put the oracle above before ODDHa1, so that ODDHa1 is not used when m' = g, + which would lead to additional calls to the DDH oracle when in fact + we can simply compare with the public key *) foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=nb) [useful_change] := return(m = exp(g, mult(b[j], a))) | foreach iaDDH8 <= naDDH8 do ODDHa8(m:G,j<=na) [3] := return(m = exp(g,mult(a[j], a))) | @@ -8158,17 +8685,19 @@ equiv(gdh(exp)) ) | foreach ib <= nb do b <-R Z; ( OB() := return(exp(g,b)) | + foreach ibeq <= nbeq do OBeq(m:G) := return(m = exp(g,b)) | foreach ibDDH1 <= nbDDH1 do ODDHb1(m:G, m':G) := return(m = exp(m', b)) | foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := return(m = exp(g, mult(a[j], b))) | foreach ibDDH8 <= nbDDH8 do ODDHb8(m:G,j<=nb) [3] := return(m = exp(g,mult(b[j], b))) | foreach ibDH9 <= nbDH9 do ODHb9(x:Z) [2] := return(exp(g, mult(b, x))) ) -<=(pGDH(time + (na + nb + 1) * time(exp), +<=(pGDH(time + (na + nb + 1 + #ODHa9 + #ODHb9) * time(exp), #ODDHa + #ODDHa1 + #ODDHa8 + #ODDHb + #ODDHb1 + #ODDHb8) + (na + nb) * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp(g,a)) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=nb) := return(false) | foreach iaDDH8 <= naDDH8 do ODDHa8(m:G,j<=na) [3] := return(m = exp(g,mult(a[j], a))) | @@ -8176,6 +8705,7 @@ equiv(gdh(exp)) ) | foreach ib <= nb do b <-R Z [unchanged]; ( OB() := return(exp(g,b)) | + foreach ibeq <= nbeq do OBeq(m:G) := return(m = exp(g,b)) | foreach ibDDH1 <= nbDDH1 do ODDHb1(m:G, m':G) := return(m = exp(m', b)) | foreach ibDDH <= nbDDH do ODDHb(m:G, j<=na) := return(false) | foreach ibDDH8 <= nbDDH8 do ODDHb8(m:G,j<=nb) [3] := return(m = exp(g,mult(b[j], b))) | @@ -8193,7 +8723,7 @@ def square_GDH_RSR_minimal(G, Z, g, exp, mult, pSQGDH, pDistRerandom) { negligible probability, even in the presence of a decision DH oracle DH(A,B,C) tells whether A = g^a, C = B^a for some a. *) -param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. +param na, naeq, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. (* In the code below: - oracle OA gives the public Diffie-Hellman keys to the adversary @@ -8202,8 +8732,8 @@ param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. CryptoVerif would not detect that exp(g, mult(a,x)) can be computed using exp(g,a), since exp(g,a) is not a subterm of exp(g, mult(a,x)). - Oracles ODDHa1 and ODDHa are instances of the decision DH oracle. - ODDHa1(m,m') = DH(exp(g,a), m', m) - ODDHa(m,j) = DH(exp(g,a), exp(g,a[j]), m) + ODDHa1[i](m,m') = DH_0(exp(g,a[i]), m', m) + ODDHa[i](m,j) = DH_l(i, j, m) and in this case we can apply the CDH assumption and replace the result with "false" in the right-hand side *) @@ -8211,13 +8741,18 @@ param na, naDDH, naDDH1, naDDH2, naDDH3, naDDH4, naDDH5, naDH9. equiv(gdh(exp)) foreach ia <= na do a <-R Z; ( OA() := return(exp(g,a)) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | + (* We put the oracle above before ODDHa1, so that ODDHa1 is not used when m' = g, + which would lead to additional calls to the DDH oracle when in fact + we can simply compare with the public key *) foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) [useful_change] := return(m = exp(g, mult(a[j], a))) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) [2] := return(exp(g, mult(a, x))) ) -<=(pSQGDH(time + (na+1) * time(exp), #ODDHa + #ODDHa1) + na * pDistRerandom)=> [computational] +<=(pSQGDH(time + (na+1 + #ODHa9) * time(exp), #ODDHa + #ODDHa1) + na * pDistRerandom)=> [computational] foreach ia <= na do a <-R Z [unchanged]; ( OA() := return(exp(g,a)) | + foreach iaeq <= naeq do OAeq(m:G) := return(m = exp(g,a)) | foreach iaDDH1 <= naDDH1 do ODDHa1(m:G, m':G) := return(m = exp(m', a)) | foreach iaDDH <= naDDH do ODDHa(m:G, j<=na) := return(false) | foreach iaDH9 <= naDH9 do ODHa9(x:Z) := return(exp(g, mult(a, x)))